Perhaps the biggest indicator of an organization's willingness to accept risk is simply its willingness to outsource or otherwise partner with Chinese businesses. I recognize that it is common and there are a lot of good reasons for it - businesses are willing to accept a lot of risk in the face of large benefits. Every security professional should take note and adjust their own risk tolerance levels accordingly.
Why are you picking China, and not every BRIC country? Especially considering the news this week.
Posted by: George Hulme | January 08, 2009 at 08:22 PM
@George -
Primarily because China was in the article I was reading that sparked it, but more generally because it is the largest, most popular country for outsourcing with the largest, most active, hacking community. At least in my opinion.
It is certainly reasonable to apply this thought process to the others as well.
Posted by: Pete | January 08, 2009 at 08:39 PM
I think you could more generically state it as applying to any company willing to outsource "core" functions to save costs in the short-term or tweak their balance sheets. Location is not relevant.
Consider, for example, HTC. They used to be strictly a contract manufacturer. Now they develop their own products using knowledge learned doing contract manufacturing.
Posted by: Chandler Howell | January 14, 2009 at 01:44 PM
@Chandler -
I mostly agree that outsourcing "core" (typically supply chain) functions is a key indicator of risk tolerance, but I believe location is relevant in the same way it matters to businesspeople - customs and legal environment matter quite a bit.
In addition with China, it seems to me that we have relevant information that suggests both industrial espionage and cybercrime are of higher risk there than many other countries (including U.S.). I would gladly change this opinion if shown evidence to the contrary.
Thanks,
Pete
Posted by: Pete | January 14, 2009 at 02:04 PM
true, but I would also argue that as soon as functions are outsourced, the risk goes up, regardless of location. Doing so in the BRIC countries probably aggravates that risk, however.
Of course, even in-house operations in those countries tend to have much higher incidences of information loss, giving us (optimistically) a qualitative risk grid of:
----------- |BRIC | non-BRIC |
In-house | M | L |
Out-sourced | H | M |
(pardon the formatting)
So could we agree that, assuming typical levels of due care, BRIC is worse than non-BRIC and outsourced is worse than in-house from a risk perspective?
Posted by: Chandler Howell | January 14, 2009 at 04:18 PM
@Chandler -
"So could we agree that, assuming typical levels of due care, BRIC is worse than non-BRIC and outsourced is worse than in-house from a risk perspective?"
I don't think so. I don't think it is reasonable to use BRIC as some sort of arbitrary grouping for risk management purposes, and I believe two of the four have much more significant threat aspects to them.
Outsourced vs. in-house risk is pretty "cloudy" as well ;-). I think the risk of insider abuse (insider = administrator with access to data) probably rises; but external risks could be reduced.
Posted by: Pete | January 16, 2009 at 02:09 PM