SINGAPORE--Elements of Asian culture, such as the region's fear of failure, tendency to follow checklists when it comes to IT security and prioritizing low cost over quality are some hurdles organizations in the region must overcome to improve their security posture.
According to Paul Craig, team lead for penetration testing at Dimension Data, companies in the region are often afraid to fail and this behavior extends into its security processes, which negatively affects their view on IT security.
Many security managers are incentivized to have a good security testing outcome, Craig pointed out, during a session at RSA Conference Asia-Pacific 2013, here on Wednesday. For example, key performance index (KPIs) and job progression of many security managers boil down to how many "mistakes" are found during security testing of their systems so they would try to reduce testing so that the number of findings are lower in security reports, he noted.
This behavior does not help improve companies' security posture because they do not see the true state of their systems by reducing the number of tests, he noted.
For example, the Monetary Authority of Singapore, states in its risk management guidelines if a bank's system fails to function properly, it will be fined heavily, Craig pointed out.
This high risk comes with a decreased scope, limited testing in a very controlled IT security environment, he explained, pointing out it ends up as a "useless engagement".
Checklists, cost over quality mindset
Another aspect of Asian culture is the tendency to "rigidly follow processes", which ultimately leads them "ticking off a checklist", Craig pointed out, adding as a result, security is often seen as a function of audit.
The danger in following checklists is that hackers do not follow them so having one will not protect companies from them, he warned. Checklists are also often worded vaguely and are not updated with the evolution of the IT security landscape, he added.
Craig shared his experiences of dealing with Asian clients noting companies frequently tell him to strictly adhere to "bullet points on the checklist". At the same time, these checklists are not updated and have been the same for several years, he noted.
Governments in Asia also tend to emphasize the practice of choosing a security vendor based on low cost, which again, boils down to the region's culture of thriftiness and saving money, he remarked.
For example, the region's government frequently perform vendor selection through a bulk tender process, which makes the selection of a security vendor more price-driven than quality-driven, he noted.
Referring again to MAS's risk management guidelines, he noted the financial regulator takes an audit-based approach to security, as one of the guidelines states, "a methodology approved by senior management should set out how and what system testing should be conducted".
Another of its guidelines for instance, calls for companies to "engage independent security specialists to assess the strengths and weaknesses" of their security systems, he added, noting it was vague because the quality of the vendor is not mentioned.
Moving forward, companies in the region need to realize security is not static like an audit process, Craig pointed out. Companies also should not be afraid of failing security reviews just to raise their KPIs and job progression, he added.
"Failing a security review should be [a company's] goal and shows value. Failing should make you happy," he said.