Panel discussion: Security conditions of the Asian countries (2nd part of the 2)

I understood that the level of understandings in the cultures and the IT literacy including security awareness is different among the countries. What kind of things do you keep in mind when you want your employees to realize the importance of the security rules and their adherence?

We explain about the working conditions when the employees first come to our company; however, we do not talk about the usage of the IT assets nor the security rules then. Instead, security education is offered on a regular basis by introducing various security incidents that had happened to raise their awareness.

It is important to explain that it's not just someone else's problem & that it can happen to them just as easy. Since the people here in Philippine tend to be easy-going, it is also important to have the awareness raising activities on a regular basis.

It's not a bad idea to create a document on the security issues and distribute it to the staffs. However, that won't be enough to have them fully understand the rules and the attitude they should have on security. It is more effective to offer educations on the security issues on a regular basis, even if each of the session is short.

Just like Philippine, we explain about the working conditions and such at first, but do not talk about the usage of IT assets nor the security rules. The most important element when making the security rules is the language. Some companies in Indonesia are adopting to use English as the main language of the company due to their globalization. But unlike Philippine where English is spoken throughout the country, Indonesia's level of English literacy is still low. Therefore, it is important to create the security rules using Indonesian. The sentences and the points should be made short and clear. It is also important to have the awareness raising activities on a regular basis.

Do you think the security tool used in Japan can simply be used the same way in your country? Are there any points we should be concerned about?

Most of the security incidents can be prevented in advance. I say this because most of the reasons for having incidents are due to not having anti-virus definition file updated or the software licenses being expired.

Not only Philippine, but the Southeast Asia countries in general do not take the preventive maintenance too seriously. The underlaying thinking is that incidents can be attended to on the spot when they actually do happen.

Recently, there are many products which work on the license basis called Unified Threat Management (UTM). The maintenance is included at the beginning when purchased; however, if the IT manager misses to renew the maintenance, then the UTM function stops which may lead to a security incident.

If any of the audiences think that your company is in this situation, we will happily make a quote for you. <grin>

I have the impression that the security incidents are attended to in a fast manner. It is common for many Japan Oriented Companies to ask for a very detailed report on the incident handling. However, the local staffs have a hard time understanding why they are being asked such excessive amount of information.

How about Philippine and Indonesia on this topic?

Philippine does not have a culture of making any documents so proactively to begin with. <laugh>

The reports are often made on verbal basis.

There may be some cases where a report is submitted, but they are kept to the minimum.

This is because by clarifying the point of responsibility in writing, people may feel we are just trying to find someone to point our finger to.

Wow, that's unbelievable.

In Japan, the most immediate action is mandated. So, the IT managers usually stay up the whole night to write a report, get it approved by the boss, and submit it to the customer by the following day of the incident. <laugh>

We do submit a report in writing when a security incident happens. However, the level of Japan Oriented Companies demand makes the Indonesian feel it is too much.

When a security incident is taken care of, Indonesians often focus only on the result and just report that the operation is back to normal. But the Japanese staffs want to determine the root cause of the issue and find countermeasures by requiring more information.

We of course understand the ways Japan Oriented Companies think, but the gap in the amount of information is inevitable between the head quarter office demand from Japan and the client/local staffs actually provide.

Do you think the security tool used in Japan can simply be used the same way in your country? Are there any points we should be concerned about?

Philippine products often have issues with the maintenance support rather than the hardware functions. The key point is whether the hardware stock is available or not in the country for a replacement. If no stocks are available, we must wait for days.

For IT and security related equipment, this situation is very critical. This is the biggest issue we have.

Many of the Japan specific products are made with too many functions and the language is in Japanese only.

Therefore, the local staff here often have a hard time handling them.

In general, we use global products which are often procurable locally in Indonesia.

The local distributors however do not always keep a large stock in the country, so we try to stock some spare units ourselves to handle when the incidents happen.

It used to be that the Japanese clients required to implement the same equipment installed in Japan to the overseas locations. But more recently, many say that locally procured products are fine to be used as the selection of the products widened.

Do you ever consider of transitioning to the cloud as a part of risk hedge of the procurement issues?

Business use cloud is not common in Philippine yet. This is because we do not have the stable Internet connections in the country.

It seems like Cloud-shift is expanding in Singapore.

There are more customers requesting cloud services in the past 2 years. This is due to the improvement we had in the Internet connection. File servers and such are more in demand for the sales staffs being outside of their office.

Our styles of work had dramatically changed due to COVID-19, so the ways the client companies think towards the cloud services also shifted.

Having said that however, the cloud services are dependent on the Internet. So, the services are still limited to the metropolitan area instead of the whole country.

Philippine is a country where the people here love their family very much. We are also very friendly.

I treat my employees like my family & that also leads to raise their security policy adherence.

I try not to force the security rules of Japan too much.

It is important to understand about the local staffs' backgrounds and build the trust relationships first.

Building a trusting relationship first is important.

Rather than forcing to apply the security rules of Japan, we must apply the rules the Indonesians can understand and relate to.

Just like how we say, "When in Rome, do as the Romans do", making behaviors based on the local culture is important to have a smooth relationship, even if the values may differ from your own.

The time here goes by slowly as this is a tropical island.

So, it is important to make friends at a pace of the locals.

I heard you've been in Indonesia for 8 years. Are you very localized now?<smile>

For now, I'm about 70% Indonesian. <laugh>

The language barrier is quite high. It took me 3 to 4 years to have a communication with the local staffs.

It is important to not force the security rules of Japan.

Recently, there are a lot of information on how we should tackle the overseas businesses. So, it seems like the Japanese clients are also starting to understand the differences.

I recognize the importance of communication.

I think the Japanese often speak based on the norms of Japan only & that makes the security policy adherence a challenge at the overseas locations.

UNIADEX & Netmarks have a long history of supporting various companies over at various countries.

We will be happy to make a catered advice based on our experiences and know-hows.

Please feel free to ask us for a consultation.