Just five years ago, information security in the Asia Pacific region was simply another job function to most IT people.
Today it is an entire industry, with companies spending as much as 10 percent of their annual IT budgets on security.
Previously, information security was mostly related to physical security, application change control and systems administration. These functions were usually carried out by a small group of data processing practitioners - security was not a full-time discipline. Security was not specifically mentioned in their job descriptions, and often they had other job duties such as system and technical support.
The process of change was painful and slow, but it has finally arrived. Today, almost every large company has a dedicated professional (or position to fill) for handling information security issues. Even for medium-sized enterprises, IT managers are given the authority to contract with outside security consultants to address their organization's information security requirements.
Contributing to this growing awareness of information security concerns in Asia Pacific is a corresponding incidence of cybercrime. In Hong Kong, for example, the number of cybercrimes, including hacker attacks, criminal damage, online shopping fraud and online bank theft, etc., accounted for 317 cases in 1999 and 368 cases in 2000, resulting in millions of dollars of losses. Although the actual number dropped by almost one-third in 2001, the number of online banking and shopping fraud cases increased. This sounded alarms for many individuals and organizations. Not only did many companies and government organizations increase their head count for information security personnel, but they also increased the budgets for security-related projects.
With security positions and job functions growing, the growing ranks of infosec professionals have become a significant part of the general IT work force. From statistics collected in Asian countries, the number of certified information systems security professionals (CISSPs), for instance, has grown from 65 in 2000 to 661 by the end of 2001. Of the 661 total number, 287 were in Hong Kong, the largest number of CISSPs of any city outside the United States. Korea has the second-largest number of CISSPs with 193, and Singapore has 61. The Asia Pacific region experienced the greatest growth of infosec professionals and practitioners in the world last year, with Hong Kong, Korea and Singapore leading the region.
The Changing Security Landscape
Despite the fact that larger Asian organizations have fully understood the security problem, many mid-sized firms continue to hire security officers to simply buy security tools and install them. It is a problem that most of these companies have implemented some security solutions, but very few of them know what they are doing or if their defenses are effective.
In these businesses, the decision-making process for implementing security is often based upon minimally reducing the risk involved. For example, management generally believes a firewall is installed for protecting intruders from the Internet, and systems scanners are used when there is a need to satisfy a corporate audit on its computer systems. However, what's not clearly understood is that these safeguards become obsolete as soon as a firm's business changes direction and incorporates new applications.
Trained information security professionals realize that this fragmented, symptomatic relief approach to problem solving does not work. Solutions based on this approach are not only short-lived, but they usually only address the security requirements of a just a few groups within the company. Security solutions should be designed to support the company to reach its business objectives. Security solutions that only address specific threats will cost an organization more in the long run.
Infosec professionals in Asia are constantly educating these businesses that a comprehensive security policy should be developed to give guidance for management and general staff to implement the level of security the organization needs. Specific security technologies such as firewalls, VPN, intrusion detection systems, content inspection, etc., and other automated tools can then be implemented to achieve the goals and objectives of corporate security policy and mission statements. Only with such an approach can an organization's business objectives and security requirements be synchronized.
Security Certification in Asia
With the counsel of information security professionals, executives of many large private and public enterprises in Asia have recognized these values. That is why the demand for professional certifications surged nearly 1,000 percent between 2000 and 2001.
These employers see the importance of a professional certification in information security to not only qualify an individual for his/her experience and knowledge in infosec, but also be reassured of the high ethical standards of the infosec candidate.
The next group to educate in Asia regarding certification are smaller, medium-sized firms. They must learn that a certified individual such as a CISSP can help top management understand the needs and visualize the benefits of information security. That individual should help the company achieve the business objectives of the organization using appropriate security tools. These certified individuals are not expected to implement every single solution that they select or recommend themselves. They should have sound knowledge to select the right tools and solutions and be able to manage qualified individuals to implement solutions.
The Asia-Pacific market is still at the early development phase, despite the fact that it is experiencing the fastest growth rate in the world. In light of this, (ISC)² opened an Asia-Pacific headquarters in Hong Kong in January 2002. The new office will be responsible for working with partners to host training and examination events throughout the Asia-Pacific region. A training and exam schedule is currently being developed by the Hong Kong office. (ISC)² plans to more than double the number of CISSPs in Asia by the end of 2002.
Chester Soong, CISSP, is director of certification services for the Asia Pacific region (ISC)² (www.isc2.org).