Triware Networld Systems 

27 Years Of Around The Clock Superior Network Systems Service & Support!


   Back ] Up ] Next ]



Information Security & Privacy Regulatory Compliance: High-Tech

First, if you’re reading this, let me say “thank you.” I run into so many high tech firms that have not even considered information security, until it is too late that is. It’s enough to make a grown man cry.  Or write an article about it!

Second, let me assure you that there is a structure that is measurable and concrete and that can provide your firm a measure of protection vastly superior to the current method of applying whatever security add-ons vendors choose to provide.

If you are in high tech, then you have one advantage: the levels of regulations that bind you are significantly less than those that bind financial sector or defense contractors.  However, this can also be a weakness. If you do not have the time, resources or discipline to apply information security (or as we say, “infosec”) standards at your firm, there will be no one around to force you to do so.

Here are just a few examples of high tech firms that failed to adhere to the rules of information security until it was too late.


In an example of malicious intent, an engineer at one company opened up an FTP port and throttled it to send just a few packets per second out to his home computer. The engineer’s intention in taking the project information was to use it to secure a future position in the event he was laid off or fired.

 While common, malicious intent is hardly the only concern;


In a case of accidental leakage, an employee was practicing building a website for a company Intranet. The employee took his laptop home and accidentally left the website software on.  You can imagine the consternation when the company’s largest customer called them and asked why they were leaving sensitive information (provided to them by this of their largest customer) exposed to the Internet.  In this case, the company simply felt it didn’t have the resources to have pilot machines to test new software.  Sound familiar?


As a final example I leave you with the nightmare of a lost laptop or even simply a sensitive report left at a restaurant or inexplicitly missing.

All of these breaches cost the companies money. As much as a $1000 an hour until the security incident is investigated and resolved.  In addition, there is always the time and business opportunities lost when senior management has to become involved in security breaches. Invariably these breaches cost many more thousands of dollars (sometimes hundreds of thousands) in lost revenue and research and development costs than the sometimes simple measures that might have prevented them. 

You would not give your latest design to your competitor--why make it easy for them to data mine it or have it “accidentally” turn up at their firm?  Ethical questions aside, it is your responsibility to secure your company’s intellectual property.

So, being a responsible C-level manager, what tools are at your disposal?

First, understand that you are not a security expert.  If the answer to the question of “who is your firm’s information security officer?” is you or the CEO, CFO, CIO or COO, then you are already on the wrong track!

Your company needs to charter a security department dedicated to information security.  If your company is too small to have a CSO (chief security officer) at least have an Information Security Officer (ISO).  The role of the ISO has a myriad of essential duties so there is no fear that you would be hiring “deadwood.” 

Some examples of what an ISO does are:       

bulletManage the information security risk assessment process
bulletManage the incident response process
bulletManage the security awareness process
bullet Participate in (or manage) the business continuity process
bulletManage cyber-crime relationships with FBI and local authorities
bulletManage the information security program
bulletManage the regular reporting to senior management and the board of directors

There is a standard for security put out by the ISO (International Standards Organization). This standard (known as 27001) provides guidance and delineates each aspect of a successful information security program.  If your firm is not doing something to comply with the ISO 27001 standard, you should have a very good reason for why it is not doing so. As with all standards, not everything has to be followed (as least if you’re not regulated) but you should know what the compensating controls are so that you can ensure they are in place.

In summary, if you are a high tech firm, you still have a high infosec risk, and you reduce that risk by setting aside the resources necessary to build an effective information security program.  Failure to take these actions can result in the loss of a few thousand dollars or even the loss of jobs, and in this day and age that kind of lack of due diligence is simply not acceptable.  The threat is there, and the tools to combat the threat are also available. All it takes is the corporate will to do all that is necessary and reasonable to prevent the kind of information security incidents that occur every day in every industry, to the detriment to companies and individuals alike.

By John Barchie, Senior Information Security Governance Fellow

John Barchie Biography

John Kenneth Barchie, CISM, CISSP, CNE, MCSE is an Information Technology and Information Security Expert with over 15 years in the high-tech and financial industries. John has been engaged to manage, audit, review and improve over 200 information technology departments and to charter corporate security functions.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Refresh >>
Enter code

Business Partners


© Copyrights Triware Networld Systems, L.L.C. ® 1991-2018