Is your culture interfering with data security?

2 years ago
Eric Vanderburg
With the ease and prevalence of global expansion, security leaders must understand how to implement security across a global organization to avoid weaknesses, targets for attackers or sources of data breaches. Our natural inclination is to plan based on the culture we know and the experiences we have had, but global security leadership requires a bit more thought in order to be effective.  

Global business

Business is global. This isn’t new, nor is it surprising that cultural differences, international laws, and workplace practices differ around the world. Businesses have long sought to harness the strengths of particular cultures and, in other situations, to transplant the culture and values of the company’s mother country onto a global labor force.

For example, a company with sites in Japan or Italy may have trouble being notified of security issues due to Italy’s “bella figura” or Japan’s “mentsu” concept of keeping face. Employees in those countries may not share the information out of concern for potentially shaming their global counterparts. In such cases, the parent organization may try to impress the value of open communication upon employees from those countries. On the other hand, a company might open research and development offices in Switzerland, Finland, or Singapore due to their high degree of intellectual property rights protection.

Enterprise-wide security programs should consider how security will be effective in different cultures, the differences in legal and regulatory requirements, how company property is viewed, encryption limitations, and language barriers in order to manage security effectively around the world.

Security programs can be more or less effective in different cultures so it is important to not only gather support and feedback from top management but also from leaders in regional centers with differing cultures. For example, separating the office into different security zones, each requiring authentication, may be well received in Western countries such as the United States but Eastern countries like Japan may think this rude and untrustworthy. Similarly, perceptions and priorities of security may differ between countries as shown in this global security survey.

Legal and regulatory requirements

Another important global difference is legal and regulatory requirements. The European Union differs greatly from the United States in their privacy laws, so a security program will need to ensure that the requirements of each country’s laws are met while still maintaining at least the organizational defined minimum standard of security. Employees from multiple regions working on a single project or the same data will need to follow appropriate procedures to ensure they are complying.

Incident handling procedures

An organization’s response and transparency in handling incidents are related to the legal and regulatory requirements, but also impacts a company’s brand image. Differing cultures may not have the same definition of what constitutes an incident or communication channels could differ in such a way that incidents are not reported in a timely manner. Global organizations need to ensure that consistent training is provided to ensure that incidents are properly categorized as incidents and that reporting is done through the established channels. Document acceptable differences in an incident response plan.

Global property definitions

Global organizations house data in locations around the world but not all countries have the same definition of company property. If sensitive data is housed in a facility that is seized or breached by the government in which that site resides, private customer data or sensitive organizational data may be lost or disclosed. For this reason, organizations should take special care to house data in countries that have protections for business property and information.

Data encryption limitations

The global organization transmits data between sites in different countries on a regular basis, but some countries may have limitations on the maximum level of encryption that can be used on international transmissions. In some cases, these limitations may present an unacceptable level of risk of data disclosure. In such cases, data may need to stay local to a specific region or some data may be unavailable in certain areas.

Language barriers

The last consideration is probably the most obvious. Language barriers can present difficulties if security procedures and policies are misunderstood in another country. Furthermore, incident response coordination may be more difficult when communication is slowed due to language barriers. Incident response plans should specify how communication will be handled between countries with different languages so that information is shared effectively and policies and procedures should undergo review following their translation to ensure that their meaning does not change.

The key to an effective enterprise-wide security program lies in establishing and enforcing a minimum standard for security that is implemented at each site regardless of its location globally. Document this standard on the incident response plan.  Global business is more complex but with a little more thought, you can save yourself and your organization many security headaches down the road. Make sure that your security is expanding with your business.