Information security as a business enabler

Information security technology is no longer a tool to protect business, but it has become part of the business strategy. Customer data privacy policy and two-factor authentication online banking services are just some of the security strategies to protect customers and enable businesses of today.

At a recent panel discussion during the 3rd Symposium on Risk Management organized by Kornerstone, Hong Kong IT leaders shared their business strategies that are enabled by information security technologies and policies.

Gaging public sentiment for physical security

For the politically sensitive organizations like the Legislative Council (LegCo), the use of technology is significant to ensure a smooth operation, particularly during the discussion of controversial topics, according to legislator Charles Mok.

In addition to the LegCo mobile app that provides transparency and enhances public access to the council meetings, Mok said the LegCo also integrates cyber security technologies with its physical security strategy.

To enable adequate physical security resources and ensure a smooth operation at the LegCo meetings, particularly during the discussion of controversial topics, the LegCo board monitors the social media and online discussion forum to gage the aggressiveness of demonstrators.

"Physical security and cyber security are very much related and integrated," he said. "The online and social media network discussion brings a very accurate indication on the reactions [of the demonstrators]."

Regulations driving opportunities

Although regulators or compliance requirements are often regarded as challenge for business development, it also offer opportunities for the banking and finance sector.

"I must command the regulator like Hong Kong Monetary Authority (HKMA) as they are very heavy handed in terms of security," said Michael Leung, COO & CIO of China CITIC Bank. "If I need any resources [for security investment], I simply need to call up our auditor or compliance officer and things get done."

Leung said the heavily regulated market enables IT to easily gain management endorsement and capital for cybersecurity investment.

In addition, he said HKMA is also working closely with the banking industry to endorse and foster the development of mobile payment and virtual checks. Through developing policies and guidelines in these areas, HKMA is creating opportunities for banks and financial institutions.

"HKMA is beginning to understand the need to catch up in areas like mobile payment with the recent endorsement of the JETCO mobile payment initiative," said Leung. "If e-checks get launched next year, we will be one of the earlier markets, if not the first, in the world to launch the virtual checks."

"I'm very enthusiastic about these technologies from a user perspective" added Henk ten Bos, CIO of Ageas Hong Kong. He said particularly on the potential of these technologies to bring operational efficiencies for the company.

Ten Bos said paper-checks were abandoned in the Netherlands 15 years ago with the introduction of the Euros. He was "shocked" to find out paper-checks were widely used in the region when he first moved to Asia eight years ago.

"I'm really looking forward to the day that we can get rid of the paper checks," he said. "All these technologies present good opportunities if you manage the change well."

Cloud and un-cloud

Leung added HKMA has also recently released new guidelines towards the use of public cloud computing service, which was previously straightly banned. These clear guidelines provide directions and flexibility for banks and financial institutions to operate more effectively.

According to Leung, the guidelines provide a clear definition on the type of data that is straightly banned for public cloud services, instead of applying a blanket policy that prohibits all banking-related information in the cloud.

The guideline defines that mission critical systems and sensitive data, particularly personal data, should not be resided in the cloud in a clear form. The banks that adopted public cloud services are also required to identify the location of the data and servers.

"I'm very pleased with it, I've been waiting for such guidelines for years," he said.

But the concerns over cloud computing among the Hong Kong IT leaders extends beyond the security level offered by their providers.

"I don't think the security measures from any of the cloud providers will be worse than your shop, because it is their bread and butter," added Ted Suen, head of IT at MTRC. "But if I put something on the cloud and I want to come back to the ground, can I do that?"

Suen said his major concern was the exit strategy when engaging with cloud computing. China CITIC Bank Leung, who is also president of the Hong Kong Computer Society (HKCS), agreed. He said that experience at HKCS with the cloud has raised his concern with "un-clouding" the data.

"We 'clouded' our membership system to the US and that company disappeared," he said. "It became a sunny sky there, what do we do with the data?"

Although the data was later recovered, Leung added it is important to understand the issue of recovering and owning the data.

Tags privacyAccess control and authentication

Show Comments