How to secure a company's Chinese development, part two

In the second part of this two-part series, we examine risk counter measures for an organization planning on doing part of its software development in China

By Michael S. Oberlaender

CSO |

In the first part of this article series, I explained the basic and foundational assumptions and the associated risk potential for a company (we called it WorldSoft) that is planning to do a big part of its software development in China. Now we look into the various counter measures at the different levels of the organization.

Potential counter measures at the organizational level

At the organizational level (that is people and policies), we can do the following:

The next organizational level is the process level where things are defined how they shall work, and how a company runs its business.At this level, a lot of improvements should be made, this is part of the "secret sauce" of any organization, and those most sustainable will have highly efficient and effective processes.One could argue that this still is all organizational, but on the other hand we strive to structure the approach in the best way and that is why I present it this way.

Potential counter measures at the process level (end-to-end process)

Now I describe how to best support these above organizational and process security controls by leveraging technology solutions in its best potential ways. Important is again that not one technical solution will solve all problems, but instead the useful integration of the various products with a well-thought-through architecture will support the intended security level.

[5 ways to create a collaborative risk management program]

Potential counter measures at the technological level

So far the potential solution options, as you can see, are manifold.

Differentiated but also integrated approach (Summary)

Based on the aforementioned options, it is best to prioritize the risks and compare the value at risk with the associated costs of mitigating controls. The combination of counter measures at the 3 different layers (people, process, technology) is best, therefore an integrated approach between risk & corporate security, legal, IT security, product security, cloud security, service and other units should be used.

What you don't measure you can't really manage, so a few KPI examples here:

Finally, the business aligned security strategy should be adapted based on the success of the measures and seen change in measurements. Hint: To get the necessary active support from management and employees, incorporate security into the(ir) annual performance goals.

Michael S. Oberlaender, MS, CISSP, CISM, CISA, CRISC, ACSE, GSNA is a subject matter expert on IT and security, and other related subjects. He is the author of C(I)SO - And Now What (CSO Online published an excerpt in March of this year) and has held positions such as CSO and CISO for several large global companies. While he is currently seeking a new professional challenge, he has researched this concept study in preparation for an interview with one of the largest software companies in the world. The material was created under his own copyright and therefore he is sharing this here with you in the intent to educate his fellow practitioners and also improve the security pasture of this particular industry. You can reach the author at michael.oberlaender@gmail.com or via LinkedIn.

Copyright © 2013 IDG Communications, Inc.