Tougher security laws turning biz to less developed countries

Increasing breaches companies also lead to more stringent rules, driving organizations to less regulated countries due to lower costs and ease of doing business, security observer reveals.
Written by Ellyne Phneah, Contributor

The rising burden of security regulations on companies may be resulting in businesses turning to countries with less developed countries with more lax rules, said an Information Security Forum (ISF) executive. He noted that that this was part of trends that he saw which included rising cost of compliance and need for transparency being a "no-win" situation.

Steve Durbin, ISF's global vice president, in an interview Friday with ZDNet Asia, said that there was a "huge burden" for organizations because of the costs of compliance and that the management have to rethink the way security is managed within the organization.

He cited that the European Union had implemented stringent guidelines that if organizations were breached, they were liable to pay 2 percent of their global revenue to governments.

That said, regulations in these developed nations can create business opportunities for less developed countries such as Brazil and Vietnam, Durbin pointed out. These countries are "more backward" in terms of IT developments, and as such, may have lower levels of regulations, he explained.

"Doing businesses in regulated countries brings about an additional cost and burden, so it will be more economical to transfer the business to a less regulated country," he surmised.

However, he noted that anyone who wants to do business in Asia must understand that it is a "regulatory minefield", because the region is a mix of developed and non-developing countries, and as such will have different regulations.

For example, Singapore will have strong regulations because it is advanced in terms of IT development, he pointed out. The Singapore government is also more aware of the impact of cyberattacks on public organizations and as such, are willing to come up with more regulations, he added.

On the other hand, developing Asian nations such as Vietnam or Thailand are less developed and governments would rather focus on "getting basics right" such as data storage, rather than the business impact of cybersecurity, Durbin said. As such, these countries will be less regulated, he added.

"Doing businesses in regulated countries bring about an additional cost and burden, so it will be more economical to transfer the business to a less regulated country."
-- Steve Durbin,
global vice president, Information Security Forum

"No-win"situation with regulations
With an increasing number of breaches on organizations, both governments and people are calling for organizations in their countries to be transparent about their security arrangements, Durbin warned.

Today there are many organizations providing services for governments and people, and everyone wants to know how their data is being managed and protected, he explained.

This will not be a "no-win" situation for organizations because if they declare their security arrangements, they not only raise their security profile, but also areas of weaknesses, he said.

On the other hand, it would seem like they are hiding something, if they did not disclose their security arrangements, he noted, remarking that "[they're] damn if they do and damn if [they] don't".

He reiterated that this boils down to the fact that IT security is no longer simply a technical issue, but a business one. Organizations must deeply consider how security is managed, and work with all levels of the business, not just the IT department, he advised.

For example, Durbin cited, with the need for transparency, organizations today must involved the public relations department with their security strategy and decide how much should be disclosed, as well as their legal advisors, on their business should function in light of tighter regulations.

Editorial standards