Is your enterprise considering sourcing internal resources via offshore locations? 或者它已经从成本较低的地区招聘人才了?
Global in-house centers (GICs) are becoming popular because they can deliver services in low-cost locations that are owned and operated by the same enterprise receiving the services. 在过去的几年里, many multinational enterprises have set up GICs in India to leverage the nation’s highly skilled, 低成本的人才库,降低服务交付成本. 此外,高管们也越来越倾向于 亚太、东欧和拉丁美洲国家 作为扩大外部劳动力的可行选择. 然而, there are challenges around adopting this model and one of them is maintaining the integrity and security of the enterprise’s data because the culture and IT security in the offshore location are considered vulnerabilities that can affect the GIC value chain to a high degree.
Chief information security officers (CISOs) should alert the board about the importance of conducting a risk assessment to identify the threats and vulnerabilities introduced, 特别是在雇用来自不同国家的工人时, 以及如果不加以管理对澳门赌场官方下载的影响. They should work with the cyberthreat intelligence team and security operations center to document incidents that demonstrate how people from the offshore location can be one of the largest drivers of incidents at the organization. 如果澳门赌场官方下载尚未开始运营, they should gather information about the security incidents reported in the country the offshore location is based in.
Organizations should get the support of the board to involve people with appropriate knowledge in the risk assessment exercise. A multidisciplinary team composed of representatives of the offshore location should be invited to participate in the workshop sessions. It is also beneficial for the CISO to travel to the offshore offices to immerse themselves in the local culture and to hire a local security professional.
Another mechanism to obtain deeper understanding of international employees’ security attitudes and habits that may help identify behavioral risk is to conduct a survey. The support of the board and HR from the offshore location are needed for this task as these stakeholders can help build a set of questions to gather information about how employees engage with security in their daily work (and nonwork) lives.
一旦获得了风险评估和调查的结果, a security awareness program should be created for the international location and presented to the board and top management. Organizations should ensure computer-based security training is customized to tailor the content to the employees’ level of knowledge and experience. 除了, security awareness activities such as contests with prizes can help reinforce learning retention. It is important to note that you may be building a culture of information security in a country that does not enforce security laws.
The board should also propose that HR of the offshore location develops and communicates a disciplinary action policy that includes violations of privacy and security rules. It is crucial that an environment with respect toward policies and rules is maintained to cultivate the security mindset. 然而, HR might not want to implement or communicate a local sanction policy if they think it could have a negative effect on workplace environment. 如果有人提出这种担忧,应该与董事会讨论.
Design metrics must be determined before testing the employees’ behavior before and after deploying the security awareness program. Metrics show whether employees are being effectively educated and changing their behaviors accordingly. In cases where the values obtained do not meet the goals of the security awareness program, 可以实施纠正措施来改进度量标准. The status of the security awareness program should always be communicated to the board, placing special emphasis on presenting the metrics to show employees’ behavior in the offshore location.
建立安全文化并非易事. It can be challenging for a CISO to understand the behavior toward information security that people from other countries have. When colleagues grow up in a country where legislation is not necessarily enforced, management is often worried that offshore colleagues see them as the police officers of the organizations. The key to overcoming these obstacles is to get the support of the board and regularly update them with the results of the security awareness program. This means that they are accountable for overseeing risk management by ensuring that the necessary resources are allocated to manage risk.
编者按: For further insights on this topic, read Vanessa Britt Perez Revilla’s recent Journal article, “提高跨文化工作与合作中的安全意识”, ISACA杂志,第5卷,2023年.
