A CSO’s Guide to the World

I’m usually not one who gets into bumper sticker logic, but I like the idea of a CSO acting globally but thinking locally. By that I mean a CSO needs to devise and enforce global security policies, but also put some thought into how those policies will be implemented locally around the world. Otherwise, variations in national customs and culture can short-circuit even the most well-intentioned security policies.

I found that out the hard way, when I once tried to standardize the global procedures for the forms of identification that visitors to our facilities had to show. Based on my experience in the ol’ U.S. of A., I thought that a policy requiring a driver’s license, government-issued picture ID or passport would be sufficient. Surely most visitorsno matter the countrywould have at least one of these forms of identification. Not so. In Tokyo, some visitors never carry government-issued picture ID cards. Not only that, but the Japanese routinely rely on business cards as a means of identifying themselves. This custom works very well within the culture of the Japanese business world, because it would be unthinkable for someone to print a false business card.

The last time I checked, al-Qaida was not listed in the Japanese business directory. This procedure would never do. After much discussion with the Japanese security guards and the receptionists, I compromised and altered the policy so that if a government-issued picture ID was not available, then business cards could be used to identify visitors. However, those visitors were not allowed into the building until the employees who they wished to see came to the lobby and physically escorted them inside. The policy thus adhered to local business customs without compromising security.

Then there was the issue of the guard force. Security guards in Japan are taught to be deferential toward visitors, and it is actually illegal for them to use force or try to restrain people in any way. I discovered this when I did a penetration test on the physical security of my company’s Tokyo office. I pretended to be someone off the street and then sneaked past the guards and into the building. As the guards spotted me, they called out “sumimasen, sumimasen” (excuse me, excuse me), but when I didn’t stop, they remained at their posts and took no further action. Needless to say, we retrained the guards to react by keeping contact with the intruder and simultaneously reporting the intrusion to police.

World Culture

Of the countries where I’ve been responsible for security, Japan easily has the most trusting societyso much so that I simultaneously admire them and fear for their safety. But it wasn’t the only country where I had something to learn. Many other cultures, while considerably less trusting than the Japanese, have markedly different views of security than our own.

In China and Singapore, for example, civil liberties are not considered sacrosanct, and law enforcement will not hesitate to arrest and indefinitely imprison, without trial, people who are suspected of being terrorists. In Indonesia, following several high-profile bombings from an al-Qaida-linked group called Jemaah Islamiyah, the security in office buildings has been beefed up to levels far surpassing those of most American and European companies. Guards can carry automatic weapons, and all visitors are searched and must pass through metal detectors. Yes, the guards are very professional and thorough, but the process can be quite disconcerting to a Western visitor. Given the bombing of the Jakarta Marriott hotel in 2003 and the Indonesian government’s terrorist warnings this year, though, most visitors fully understand the threat driving the increased security.

While Australia is much less militant, there I found the local police to be much more involved in antiterrorism programs with local building security guards than almost any other country where I’ve worked. I’m not sure why. Perhaps it is because most of Australia’s population is located in six major cities, making coordination easier.

Europe’s history raises its own set of issues. Citizens there tend to have much stricter notions of privacy than Americans, probably because Europeans suffered through the abuses of Nazi and Communist regimes and therefore have higher standards for how personal data can be collected and for what purpose. To be sure, most Americans value privacy, but they also view themselves as a nation of business. They are therefore more ready to compromise privacy in the interest of business or security. The recent disagreements between the United States and the European Union over the sharing of airline passenger data is one example illustrating this difference.

Different cultural attitudes, of course, translate into different regulatory environments. In Europe, both information and physical security are very much influenced by a privacy regulation known as the European Data Protection Act (DPA). Most Americans are under the impression that in Europe there is only one DPA, but that’s not the entire story. Under European Union laws, the European Commission and European Parliament pass legislation such as the DPA, but it is then up to the member states to enact national legislation that implements, and does not conflict with, the overarching EU legislation. The member states are also tasked with enforcing their own national DPA. As a result, regulations and their enforcement can vary widely.

Case in point: In Sweden, businesses cannot use security cameras to monitor employee performance. (For example, there’s no fair firing of someone caught on video sleeping.) Businesses also must complete forms detailing where the camera’s information is stored, for what purposes it is used, and how and when it will be destroyed.

Asian countries have typically passed legislation that is very close in nature to the EU’s Data Protection Act. However, enforcement of the laws can vary widely. Japan, Hong Kong, Singapore and Australia all have DPA laws on the books, but I’ve found that companies are very rarely taken to task for violating those regulations.

No Standard for Standards

Outside of data protection issues, there tend to be far fewer differences in information security, primarily because there are few differences in technical systems. After all, a Windows 2003 server in one country is just about the same as in any other. Where I did find differences, though, is in the method of implementing an information security program. Europeans are much more likely to follow an international standard than are Americans.

I’m sure an entire book could be written about this phenomenon, but it probably stems from the fact that Europe is composed of many countries that, historically, have had to cooperate in order to ensure that their technical systems worked with one another. The telegraph and gauge of railroad tracks are two examples of European nations agreeing on and building a common standard. If they hadn’t, then imagine having to stop at each border and board a different train.

Americans, by contrast, tend to view themselves as rugged individualists. We often place priority on getting to market. Just think back to the introduction of video cassette recorders. In the late 1970s and early 1980s, there were two competing standards, VHS and Betamax. Rather than compromise on a common standard, American companies slugged it out in the marketplace. Eventually, VHS gained the upper hand, and Betamax died outah, American Darwinian capitalism at its finest.

In the field of information security, these cultural differences play themselves out with Europeans being much stronger proponents of ISO 17799 than are Americans. If an American company goes for any type of third-party certification, it is more likely to be a Statement on Auditing Standards (SAS) 70. Unlike ISO 17799, however, the SAS 70 is not a “best practices” standard. Instead, it documents the controls in place that satisfy the company’s internal control objectives. The company defines its own control objectives, and the auditor checks to see if the controls the company has implemented are sufficient to achieve its objectives. Once again, we see the American practice of “going it your own way.”

A Difference of Control

The major cultural differences in information security that I have seen between Asian countries and Western countries arises over the documentation of controls. Many times, I have met with my Asian counterparts to go over the controls they have in place. Yet, upon auditing the systems, I will find major discrepancies between what is written and what is actually implemented.

I can only ascribe this difference to the practice of “saving face,” which is prevalent in the Chinese and Japanese cultures. Japanese and Chinese IT professionals are sometimes so eager to please me, the global CSO, that they tell me what they think I want to hear rather than bring up actual problems. It takes some time to read between the subtleties of language and the culture of maintaining respect.

After discussing the issue with several of my Japanese and Chinese IT colleagues, I found that the best way is to encourage participants to practice self-examination (that is, criticize themselves but not colleagues) and seek ways upon which their job performance might be improved. Also, I publicly praise the groups when they bring up problems and propose solutions. This way, I make it clear that I welcome critical analysis and am not just looking to hear that everything is going swimmingly well.

A global CSO who assumes that his native country’s cultural norms apply to his foreign offices will quickly learn that they do not translate well. Instead, it is best to cultivate close relationships with individuals around the world and to listen to their advice. If a CSO understands a culture and trusts the professionals working in that culture, he will find it easier to implement policies that meet the spirit of the company’s control objectives, and that hold true the world over.