What are the challenges we faced to today? Let’s go back around 3000 years ago — people group together to establish community and elected a leader to lead them. A great leader is one who knows the right way, lead the right way, and shows the right way and will people follow. Leader will then sell the idea of building a wall to protect its citizen, castle for government, keep to store food, and an army to depend the people and wealth of the community. Everyone within the wall has its responsibilities and duties to protect the assets or wealth of the community including their own. Community wouldn’t survive by itself, they need to trade to other community for goods and services. Each of the community need to protect their own businesses and trade secret — so sharing of information would be degrading to livelihood or business. To protect the way of life on the community, the leader and it’s council will create the rule of laws or constitution, not only for law and order but primarily to protect life and assets.
Approximately 70 BC, the silk production has a long and colorful history unknown to western civilization. For centuries the west knew very little about silk and the people who made it and for more than 2000 years the Chinese kept the secret to themselves. It was the most closely guarded secret in history. In spite of their secrecy, however, the Chinese were destined to lose the monopoly of silk production. Approximately 200 BC Chinese immigrants brought the in Korea and around 300 AD silk reached the west through India.
Approximately AD 550, two Nestorian monks appeared at the Byzantine Emperor Justinian’s court with silkworm eggs hid in their hollow bamboo staves. Under their supervision the eggs hatched into worms, and the worms spun cocoons. Byzantium was in the silk business at last. The Byzantine church and state created imperial workshops, monopolizing production and keeping the secret to themselves. This allowed a silk industry to be established in the Middle East, undercutting the market for ordinary-grade Chinese silk. However high-quality silk textiles, woven in China especially for the Middle Eastern market, continued to bring high prices in the West, and trade along the Silk Road therefore continued as before. By the sixth century the Persians, too, had mastered the art of silk weaving, developing their own rich patterns and techniques. It was only in the 13th century—the time of the Second Crusades—that Italy began silk production with the introduction of 2000 skilled silk weavers from Constantinople. Eventually silk production became widespread in Europe.
Bare with me, like the Chinese; most if not all organization — trade secrets are fundamental building blocks that drive business growth, investment, and innovation. In the last 20 years or so, the theft of trade secrets, often through cyber-enabled means, has been an important issue for the many countries and other industrial economies.
Protecting trade secrets is critical for the continued profitability and financial security of businesses around the world. In recent years, private and public sector organizations—universities, industry associations, think tanks, and government agencies—have studied this issue in depth. Some suggested on how to discuss in the broader economic issues (e.g., national level estimates of trade secret theft); however, it primarily focuses on a framework for individual organization to:
- Apply a risk-based approach to identify and prioritize their trade secret assets;
- Analyze the direct and indirect economic losses attributable to a trade secret theft;
- Understand the types of threat actors and how they may seek to inflict economic harm, as well as how those actors align with the company’s vulnerabilities;
- Develop new strategies to safeguard investment underpinning future trade secrets and mitigate the potential economic losses attributable to trade secret theft; and
- Develop return on investment guidelines for implementing measures to improve trade secret protection internally and in the supply chain.
What are trade secrets? all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, analyses, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if – (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.
It perfectly make sense to protect one organization trade secret, and losing trade secret like the Chinese can make you one organization make or break.
In my last insights about “The Future of Technology, Privacy, Security and Risks“; I tried to offer today’s challenges, a sensible point-of-view about IT Governance and it’s relationship to Internet of Things (IoT) and Governance in general; I made an assumption that having IT Governance skills alone is not enough. I’m not saying that it’s bad thing but you have also need to understand the driving force, the shareholders, the stakeholders, the business strategies, management, governance and culture. I don’t want to be bias to Information Security Professionals but what really make sense when you’re dealing with business minded executives. Yes, you heard me right, the keyword is “Business”. The end of the day, it’s about business and profit. Governance practices was conceptualized to protect the interest of stakeholders and their profits. Put you feet on their shoes, and tell me honestly if i’m right. Of course you’ll say I’m right – no businessman would want to lose their money and not want to “Protect” their investment. Probably by now you know what i’m taking about — “Protect the Business”.
For those who are not Information Security Practitioners principles of Information Security Forum or ISF(securityforum.org) and Information Systems Audit and Control Association or ISAC (isaca.org) — the first principle is “Support the business”, the second “Defend the business”. To some of us, it’s pretty obvious the principle behind why we need to protect business not only from stakeholders perspective but also to entire organization. The first challenge we need to faced is the difference between Governance and Management. Believe it or not some of the executives I’ve work with having difficulties distinguishing between the two.
Governance is the strategic task of setting the organisation’s goals, direction, limitations and accountability frameworks while Management is the allocation of resources and overseeing the day-to-day operations of the organization. So Governance usually answer the “WHAT” while Management the “HOW” – now that’s out of the way we can really start discussing the following challenges:
- Enterprise Governance or Corporate Governance (CG);
- Enterprise Risk Management (ERM);
- IT Governance (ITG);
- Information Security Governance (ISG); and
- Change Management (CM).
The biggest question maybe lingering in your mind, what’s the relation of these to Information Security Executives or Professionals, why do we need to understand these and be concerns about it. Well, I don’t have a simple answer but maybe, we can break it down into small and sensible pieces for us to understand and realized the relationship, and boundaries. We will try to answer some of the questions and offer insights to it.
For almost 20 years of IT experience ranging from Systems Development, Application Development, Systems Analysis and Design, Project Management, Networks Architecture and Design, Security Architecture and Operations, Security Governance and Management. These mile deep and 20 miles wide experience made me realizing that Information Security is not a technical issues but rather a business concerns. As executive or professional, I have to work with both technical and business folks in broad scope and spectrum. At the beginning, I was contented with my mastery of Information Security Management System (ISMS or ISO/IEC27000 series) or The National Institute of Standards and Technology (NIST) or Escal Institute of Advanced Technologies (SANS) but it wasn’t enough. I remember my, first ever meeting to Executive Committee about adaption of Security Compliance and Risk Program. My first ever tasted of executive heat and unrelentlessness business question, specially risk-based approach wasn’t that yet popular to the organization I worked with. I can’t blame them, their concept of compliance and risk is way different that it is today. The executives only familiar with complying to insurance requirements. Selling these new ideas to them was a top sell, and for them it’s an additional layer of resources and processes. I don’t blame them to scrutinizing me, and process that i’m proposing or blame me for trying. After that experience it made me realized I have bitten more I can chew, and my understanding of business is limited. So I decided gain more knowledge and understand the business process, management and governance.
To cut the story short, I educate myself and equip with new skill. I’m not trying to confuse you or what’s not, just trying to paint the bigger picture and what’s the reality we faced as professional in general. Some of you may agree with me that some executive, (so far, that I encountered and worked with) doesn’t even have a clue of what their trying to do. Some are executive have lengthy Operational Management (OM) experience but short of Strategic Management. Some raise from Technical to Strategic position, and open to fresh idea and seeks understand of that new idea and concepts. Some seek to recommendation from Technology Expert (e.g. Gartner Technology and etc) Some relies on vendor recommendations and/or other executive in other industry. The worse of them all, is the one who pretends to be technical or business executive, and twist the known terms or industry standards or pretend that they understood it.
It’s our job to sell the program, vision, mission, and direction or strategic plans to our stakeholders but the biggest question probably on your mind is, given above example of worse executives, how can we sell? To be honest, there’s no straight answer but you have to remember — you are not solving technology issues but business risks. Risk like strategic risk, financial risk, operational risk, compliance risk and reputational risk. Some technical savvy executive who has bit of experience implementing technology related projects but not much on CG, ERM, ITG, ISG, and CM or an executive with no technical background and pretend to be an expert — believe me it’s not easy to teach old dogs with new tricks and waste of time.
Where does CG start? To be honest, it start from the top, not from the middle or bottom. What the driver of CG? Usually, it’s regulatory compliance, market and the company desire to be number one or to get ahead of the market. In an Enterprise the only permanent thing is the continues wish to innovate and improve — i think that’s the greatest driver for an Enterprise
What is Corporate Governance?
“Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” – G20/OECD Principles of Corporate Governance
Corporate Governance is the set of accountabilities, processes, structures and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organization’s resources are used responsibly. A major obstacle in the governance is ensuring the governing body and managers are able to delineate their different responsibilities. “Governance” is the strategic task of setting the organization’s goals, direction, limitations and accountability frameworks. “Management” is the allocation of resources and overseeing the day-to-day operations of the organization. One way to think about this is that Governance determines the “What?” – what the organization does and what it should become in the future. Management determines the “How?” — how the organization will reach those goals and aspirations.
Understanding the differences between Governance and Management
The governing body must govern; that is, it must provide leadership and strategy and must focus on the ‘big picture’. Governance is about planning the framework for work and ensuring it is done. As such, it is distinct from management (organizing the work) and operations (doing the work). As far as possible, the governing body should therefore steer clear from making managerial decisions and getting involved in the day-to-day implementation of strategy. This is easier said than done. The lines between governance, management and operations are easily blurred, as they are of course closely inter-related.
Adapting new technology like IoT, Big Data, Mobile Computing, Information Security and Cloud Computing are still the buzzwords today that can be hard to separate from each other and need to intersect governance concepts above. Most companies have different perceptions of what to include under each term. The terms are often used together, they might overlap, and there exists mixed usage of definitions regarding these concepts within most enterprises.
Most of organization’s adapt CG, ERM, ITG, ISG, and CM are newly developed or under re-development. This calls for a need to investigate the implementations. Information Technology and systems are already critical to business success in organization as technology evolves at an increasing pace. To be a successful organization in the modern business world must support consistent decision-making and drive cultural change. Today´s business-world is fast-paced, internet enabled and changing. Organization needs to adapt to the changing environments.
In this blogs, I will try to offer insights and meet the challenges of the problem definition as good as possible. These concepts are interrelated within any organization, but I have tried to shed light upon the clear definitions, differences and overall structure of the concepts.
My personal goals derived for this master insights is as follows:
- Define perceptions of Corporate Governance, Enterprise Risk Management, Enterprise Architecture, IT Governance, Information Security Governance, and Change Management — and the connection between them.
- Define and structure common organization’s implementation of Corporate Governance, Enterprise Risk Management, Enterprise Architecture, IT Governance, Information Security Governance, and Change Management and important relating concepts, governance mechanisms or infrastructures
- Define the connection between the relevant concepts
- Research awareness of the concepts of Corporate Governance, Enterprise Risk Management, Enterprise Architecture, IT Governance, Information Security Governance, and Change Management.
- Discuss common organization’s implementation of Corporate Governance, Enterprise Risk Management, Enterprise Architecture, IT Governance, Information Security Governance, and Change Management with focus on use frameworks and interaction between the concepts. Discuss possible weaknesses and inconsistencies implementation of the relevant concepts might reflect, and suggest improvements.
- end of Part 1 of 7 –