When security is a global undertaking, CSOs are subject to the murky legal requirements of multiple jurisdictions at once.
A good road trip always seems to include a stop at one of those places where you can stand in three or four states at the same time. So, it’s a wonder that data centres don’t sell tickets. After all, every computer on the Internet straddles hundreds of countries. This geographic side effect of networked technology is unappreciated by corporate planners, but security wonks know better. They know that the tangled skein of enterprise cabling foreshadows the legal snarls and ethical hairballs that will be coughed up in a security catfight.
When customers and employees are international, ethical ambiguities are compounded. The current war in Iraq has made it painfully obvious that American interests are not necessarily shared by others, even by those whom we consider “business-friendly”.
Unlike conventional crime, computer thuggery frequently reaches across territorial lines, often originating from countries where the act is not illegal. Using legal bandages to staunch such a security wound may be too little, too late. Businesses with trade secret sensitivities might want to consider less formal protection strategies such as white hat hackers.
Disjointed expectations of privacy mean more than a mismatch in confidentiality laws. There’s often a cultural skew. For instance, the requirement for opt-in in the European Union is more than a statute; it reflects the underlying sense of “fairness” in countries like France or Germany.
What can a globally conscious CSO do? Education always helps. Start by running cultural awareness seminars for security staff to minimise cultural misunderstandings. When training other employees, be clear when explaining the rules. Don’t appeal to patriotism or even laws. If it’s against corporate rules, it’s wrong — end of story.
Security policies must be readable in every relevant language. Clear translations are too important to trust to other groups in the company. Post your policies on your Web site in every language. (Don’t forget to translate units of measurement.) The policy should explain the company’s views without resorting to parochial laws or ethical bias. Or threats . . . avoid droning out punitive details like the ridiculous “warning” at the beginning of a videotape.
Make an arrangement with telephone translation services for simultaneous 800-number interpretation. If a problem comes up and you need to speak to a client and you can’t, it could be a lifesaver. While you’re at it, make sure that you have a clear translation of the word security. In some countries it is a euphemism for secret police.
Verify the pedigree of all legacy data in the enterprise and map it to the physical location of the servers. Working with legal, relocate the machines into friendly regulatory environments. Examine your vulnerabilities and tease out your recourse. Don’t rely on legal remedies for security succour; it’s expensive to prosecute in multiple countries, and evidence-gathering may prove impossible.
The biggest mental hurdle is accepting that global security is amoral, and the hardest part of the job is stripping nationalist bias out of routine procedure. Wrong is wrong; not because it’s evil, immoral or even illegal, but because it’s not in the company’s best interests. The pinnacle of paranoia is at the end of the climb for the worldly CSO. Being secure means trusting no one — not strategic partners, not employees, certainly not customers. Laws change and contracts are broken, but rules are timeless.
David Holtzman, former CTO of Network Solutions, also worked as a cryptographic analyst with the US Navy and an intelligence analyst at DEFSMAC