Interestingly, technical components for information security are more or less available worldwide and standardized, while security policies, regulatory influences and general attitudes vary a great deal from country to country.
With terrorism concerns and cyberattack fears front-and-center for America's CEOs, increased attention is being paid to what U.S. firms can learn from security veterans in developed nations that have confronted imposing security challenges for decades. An understanding of foreign laws, incorporating security to global trade procedures, and recognizing that security represents a worldwide effort, are the key "lessons learned" from overseas.
The first requirement when thinking about a security policy is to adopt a worldwide perspective in IT management. In the U.S., corporate environments have been historically insular and North America-centric. Global knowledge is still not a make-or-break prerequisite for business leadership, or the ability to provide "global" solutions to organizations, and the value of overseas trade, is measured in profitability, not in exchange of knowledge. Compartmentalized workers typically have specific responsibilities within specific realms, and little global perspective otherwise.
Progress is evident today, but old outlooks remain in place. There is a tendency to bury oneself into one's job and not recognize what is happening around. When security, interoperability, stability and other attributes are simultaneously built into products by disparate parties, for example, the end result can be compromised. It is easy to forget that the challenges inherent to security - whether for borders, buildings or networks - are shared by others worldwide, and the study of outside methods can validate new thinking or prompt re-evaluation of the status quo.
Let's examine where the U.S. can learn from security practices in other countries: Europe at the dawn of technology's impact on business became a catalyst for executives to understand the global nature of how businesses should run effectively and the requirements to support such initiatives. Initially, the U.K. was almost a microcosm of the U.S. and stood between America and the rest of Europe. The convergence of communities created a major problem - not unlike a merger of two companies. It forced businesses and people to take a different view of how businesses should work and how to achieve the common goals. Just as global businesses were coming to terms with these challenges, the rules changed - the Cold War came to an unforeseen end. Trade barriers were removed and a new level of understanding and knowledge gathering began. Travel and movement of people became second nature to everyone and a broad understanding of how countries, political issues and cultures could exist together became a major requirement.
The security industry was not excluded from this process. Rules that governed one country did not apply to others. For example, France has banned the use of specific encryption measures on networks within its borders. How can security professionals react and keep up to date with the requirements for encryption - how can they secure communications? Before the E.U. became a central governing body, each country was responsible for its own standards that had to be understood and worked with across borders (not unlike laws in America that vary from state to state). There were differences regarding privacy laws, digital signature laws and the like. To be able to work with cross-border or distance contracts was a common requirement for business to effectively operate - growth of knowledge and capabilities became a necessity.
The requirement to understand different rules, regulations, political differences and cultural differences within a very tight community forced Europeans to adapt to a global community. Of course, as the community changes regularly, new countries are incorporated, providing new challenges for business. New regulations that affect the daily workings of individuals and business have to be understood and implemented.
Security issues have always been a priority in the rest of the world, mainly due to the fact that wars and skirmishes can start at any time. Regional economies and business infrastructures owe their survival to the proactive approach the rest of the world has taken. Specifically, Britain endured the rein of terror imposed by the IRA; the Middle East has always been at war, yet remains a hub of world commerce; all of Europe experienced the Cold War's front lines - only to witness reconciled East-West differences and the coming together of differing communities.
The U.S. must take further steps to promote business management from a world market perspective. Federal, state and local authorities must work in harmony to standardize and provide a measurable baseline of understanding.
What is there to learn from Europe? In summary, the U.S. population can gain from the experience beyond its own shores and value:
- Breadth of experience.
- Developing specialists in a broad range of subject matter.
- Getting accustomed to working with internationally accepted standards (not just technology driven) setting a baseline that everyone understands; process and control.
- Gaining a more in-depth understanding of cultural and political differences around the world, particularly in countries where they have employees, customers or partners.
Smaller markets drive collaborative efforts - and therefore drive the need to employ those with deeper and broader experiences - creating a tendency to work better with partners.
The explosive growth of communications around the world - Internet, wireless, television, etc. has extended access to many communities. This benefits all, and yet brings with it higher potential for abuse, terror and conflict as differences are highlighted and resolutions ignored. The U.S. has a significant role to play in this increasingly connected world.
In the realm of global security, which incorporates national security, the U.S. government and the private sector must now step above the political and cultural boundaries and understand the rest of the world. In addition to owning and operating vast infrastructures that the connected world takes for granted as capable and secure, the private sector's first-hand experience can assist in this endeavor and meet the requirements needed for an accurate and effective analysis of information security strategies.
Steve Crutchley is CSO of 4FrontSecurity Inc. (www.4frontsecurity.com).