CloudSec 2017: HK faces conundrum in cybersecurity standards

Panelists cautioned against over reliance on cybersecurity guidelines and standThe absence of general information security guidelines and standards that are enforced and that cut across all industries in Hong Kong may be undermining the city’s cybersecurity posture.

Asked whether this could be the primary reason why SMEs – which represent the majority of businesses in Hong Kong – are typically remiss in protecting their organization against cyberattacks, legislator for IT Charles Mok begged to differ.

“I think it is because of a lot of reasons. The lack of awareness by SMEs is not an issue particular only to Hong Kong. SMEs anywhere in general lack resources and support, so it is important for the government and the industry to provide them with more guidelines and knowledge,” Mok told Computerworld Hong Kong.

“But in the end, they have to care about it enough to take their own precautions. They cannot continue to use ‘lack of resources’ or ‘I don’t know’ as their excuse, because they are the ones to suffer ultimately,” he added.

The need for general cybersecurity guidelines and standards across Hong Kong was one of the key questions raised by delegates during the panel discussion at the recently concluded CloudSec 2017 conference.

Sectoral approach

“The standards in my view must come from the community and the local industry. Also a lot of times – at least in Hong Kong, these standards may come from the various sectoral regulators,” Mok opined at the CloudSec panel.

He cited that sectoral regulators in Hong Kong, such as the Hong Kong MonetaryAuthority which oversees banks, the Securities and Futures Commission that looks after securities firm as well as the Insurance Authority which regulates insurance companies, are in the process of adopting a number cybersecurity practices that apply to companies under their domain.

“So I think the way Hong Kong is proceeding is in such a way,” he added. “At the level of the government, I don’t think they have a standard organization to drive this type [of general] adoption.”

Traditionally, Hong Kong has always followed whatever international standards are out there and adopt them as its own. The same holds true for cybersecurity.

Don’t just rely on guidelines and standards

Panelists at CloudSec cautioned delegates against over reliance on cybersecurity guidelines and standards in the ongoing battle against cyber threats.

“Standards provide you with guidelines. If you are sitting there as a CISO in an organization waiting for standards to tell you what to do, then probably you are in the wrong job,” said Dale Johnstone, vice-convenor of the ISO/IED Joint Technical Committee1/ Sub-Committee 27 Working Group 1, which is the ISO committee responsible for the development and publication of ISO standards.

He pointed out that there are two types of cybersecurity.

“There is doing cybersecurity by compliance checklist – ticking boxes, and doing security by risk management. I am a fond believer of doing cybersecurity by risk management because I can put in place standards which is more relevant than doing a lot of things that are not going to help my organization,” Johnstone said.