US-based multinationals are facing increasingly complex security and compliance challenges. It may be that the way to tackle these is to adopt a more stringent attitude, and to push information security higher up the corporate agenda.
“From a business perspective, data sharing and data access permeates everything you want to do as a multinational”, says Kevin Bocek, director of product marketing at Thales Information Systems Security. “You want to share and co-ordinate and achieve economies of scale in your use of data.”
In terms of basic information security technologies and processes, operating across multiple territories doesn’t present many additional issues. The more intransigent problems revolve around the data itself.
“The big issue is knowing where the information is in the first place,” says Jon Geater, director of technical strategy, also at Thales. Understanding your IT security compliance requirements is going to be tricky, he says, “if you don’t know where the information has gone, who might have had access to it and where it might have resided. For the larger organization, and especially those operating across borders, there are issues of tracking your data, knowing where it lives and properly restricting access to it”.
| "If you look at the EU Data Protection Directive, PCI DSS, SOX or the ISO standards 27001 and 27002, they all require you you to have good governance in place." |
| John Linkous |
Increasing Complexity
This is an increasingly complex issue. “What happens is that funding is done by business units, and they’re having trouble funding these kinds of operations — to secure content and comply with regulatory pressures”, says Dave Bennet, CTO at Axway. “The complexity that occurs, and the silos that are created within these companies creates some challenges about how they fund the different mandates with which they have to comply”.
US companies may have a particularly difficult time dealing with the patchwork of information security regulations across multiple territories. The situation within the US is confused enough. For example, while Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) impose their own information security requirements at national and international levels, most data privacy legislation is being enacted state by state. Some states, such as Massachusetts, enforce stringent compliance; others have little or nothing in the way of privacy laws.
Some firms might be surprised by the raft of legislation they face when moving into new, overseas markets. John Linkous, security and compliance evangelist at eIQnetworks, points to the European Union’s (EU’s) well-established and continent-wide data privacy directives.
“That’s not something that we have a legislated equivalent here in the States”, he says. “You get a lot of US companies operating in the EU and one of the biggest issues they face is asking themselves, ‘to what degree do we implement those security and compliance standards?’”.
Linkous recalls how, in a previous job, the firm for which he worked was implementing monitoring software for desktop machines to ensure that employees were using the machines appropriately, that patches were installed, and so on. A team visiting from the company’s German arm was horrified by what they saw and pointed out that it couldn’t be used in their country. German privacy laws inhibit employers from monitoring certain aspects of usage of workstations.
“Companies are trying to look after their information, trying to comply with all kinds of different local regulations and mandates while also trying to maintain a coherent business”, says Geater. “Although your business might be operating out of the US, and you want shared technology and a streamlined international infrastructure, you still need to have clear lines of separation in data administration, and clear lines of responsibility.”
Uniform Policies
When contemplating this confusion of information security regulations, the question becomes, do you try to implement one-size-fits-all policies and technologies, implementing the same level of information security and privacy across the whole company? Or do you tackle each territory at a local level? The latter would involve developing and maintaining multiple sets of policies, which sounds like a recipe for disaster.
| "The big issue is knowing where the information is in the first place." |
| Jon Geater |
“It can be”, says Linkous, “What it really comes down to is the governance and management of those policies”. Problems arise when data crosses from one zone to another. Making sure this doesn’t create headaches means having everyone on board. “Legal, IT, human resources — all these people need to be working in concert to understand the impact of having different security policies across the enterprise.”
Given that the free flow of information is crucial to many businesses, having multiple policies in place, and potential restrictions on how that information can be passed around, could throttle an organization’s agility. But Linkous thinks there are more similarities than differences between information security compliance regulations.
“They’re all basically trying to do the same thing”, he says. “If you look at the EU Data Protection Directive, PCI DSS, SOX or the ISO standards 27001 and 27002, they all require you to have good governance in place, to monitor for certain activities on your networks, to have certain security controls, and so on. What you end up doing is implementing, as far as possible, a single set of controls.”
It is possible to come up with a ‘lowest common denominator’ approach that ticks enough boxes when it comes to information security compliance, so that it will work in most territories.
“What can make it difficult is if you try to take shortcuts”, says Geater. “It’s a lot harder to come up with a set of compensating controls that are acceptable to everybody who’s watching. You can either take a comprehensive route to securing absolutely everything and solving all the problems to the letter, or you can take a hybrid, practical approach where you identify your high-risk areas and concentrate on those, so it’s secure enough”.
Greatest Common Denominator
Another option is to take a ‘greatest common denominator’ approach to information security compliance: you take the most stringent set of regulations and gear your policies to that.
“No-one’s going to fail a security audit for being too secure”, says Geater, “assuming the thing is usable and understandable by its operators so that they don’t make mistakes”.
You can take this too far. Geater gives the example of the Personal Digital Signature requirements in Germany. Almost no other country (apart from Italy, which basically copied the German regulations) has such stringent requirements. So implementing infomration security policies that match German regulations across your whole organization may be excessively expensive and restrictive. Even with a greatest common denominator approach to information security compliance, you need to retain some local flexibility.
“You have to ask what is your business reason for doing this, and do you need information sharing across all countries or are they largely independent?” says Geater. “Asking everyone to comply with German digital signature level is maybe going too far, but it’s the right end of the scale to start with.”
| "Asking everyone to comply with German digital signature level is maybe going too far, but it's the right end of the scale to start with." |
| Jon Geater |
Raising CISO profile
If all of this sounds like a high-level strategic issue, that’s because it is, and it demands leadership at that level. However the information security and compliance issues are tackled — globally or locally — the direction and control need to be managed centrally.
“Companies that are more progressive do this as a corporate mandate and fund it from a corporate level”, says Bennet, “so they get out of the silo battles”.
Information security and compliance are clearly moving up the corporate agenda. “We see the CSO becoming more and more involved and having a bigger say in the infrastructure decisions and the business-level decisions”, says Kathryn Hughes, product-marketing director at Axway. “We’re also starting to see the evolution of a chief compliance officer whose mandate is to look at the external compliance initiatives they face as well as what are the right mandates internally. And there’s a strong marriage between those two roles.”
The chief compliance officer role is starting to amalgamate what were previously separate functions — a SOX manager, a Health Insurance Portability and Accountability Act (HIPAA) manager. It’s also a sign that this is a business issue, not purely an IT one.
“Information security and privacy need to be separated from technology operations”, says Linkous, “because it’s really not just about technology — it’s about IT, it’s about human resources policy, it’s about legal policy. The CISO or CSO really needs to be a board-level position that is given the same level of visibility across the organization as does legal, HR or the CFO”.
This is especially true in a multinational where consistency of strategies, policies and solutions are harder to enforce. There are still issues to address though, such as reporting processes across the international corporate structure. Organizational dynamics will play a large part in determining the success of this approach. And it’s also important that this elevation of the CISO/CSO role is seen as a benefit.
“At the moment, compliance, security, breach remediation — all these things happen, in some way, under duress”, says Geater. “It’s seen as a cost. Because it hasn’t been top of mind, high-level security thinking has tended to be reactive and so associated with negative thinking. What you need is a high level security function which is seen as a benefit, as protecting the company from experiencing the problems, saving company time and defending the company image. And that’s starting to emerge — seeing security as a proactive benefit.”