Compliance with international security standards in Vietnam: difficult or easy?
Given the rapid development of information technology in Vietnam, businesses and organizations now find it essential to comply with international security standards and laws. These range from widely recognized laws and standards like GDPR and ISO/IEC 27001 to more specialized ones like PCI DSS and the Artificial Intelligence Act, which was recently passed by European lawmakers. Complying with these standards and laws assists in the protection of sensitive data while also building trust with customers and business partners. However, achieving this compliance, let alone sustaining it, is not easy, especially in a dynamic and continuously changing business environment like Vietnam.
Compliance with global security standards is posing serious challenges for many Vietnamese businesses. Strong management commitment and a thorough security plan are necessary for compliance with these requirements in order to overcome lack of understanding, lack of resources, investment costs, and cultural barriers.
1. Common challenges
1.1. Lack of understanding of standards
When it comes to compliance with international security standards, many businesses and organizations turn to consulting partners with incomplete (and in some cases quite poor) understanding of the standards. Many corporations and organizations entrust their compliance with international security standards to consulting partners who may have inadequate or limited knowledge of the standards. One of the biggest difficulties is helping businesses understand the importance of complying with these standards, instead of just thinking of it as a “license”, “passport certificate”, or “A4 sheet”. Organizations and consultants face significant challenges as a result of this lack of understanding because they are required to serve as “missionaries” and attempt to assist—sometimes directly—in the implementation of security measures.
1.2. Lack of human resources
Having no one in charge due to staffing shortages is a common scenario in many businesses. Most small and medium-sized businesses in Vietnam lack a specialized security team, or if they have such a team, it is inexperienced and small. As a result, the implementation process becomes slower and more challenging, requiring both the consulting firms and the customers to “learn while doing” (the customers learn the standards, while we learn about our customers and solve compliance challenges for them).
Staffing shortages seem to be a common problem across the information security industry in Vietnam. The quality of human resources also falls short of industrial standards, in addition to their inadequate staffing. Attracting security experts in Vietnam is a challenging task, although they are typically offered a higher wage than their experience might warrant. In 2023, there were 3,866 employees working in the cyber security sector, up 13% from 2022, according to a report from the Ministry of Information and Communications. Despite this increase, the number of employees is still insufficient to handle the enormous workload given the growing trend of cyberattacks on individuals, businesses, and organizations.
Lack of human resources for deployment causes problems for consulting firms as well as for businesses, as all Vietnamese information security enterprises are essentially “burning torches looking for people” and are having difficulty finding any.
1.3. Corporate culture
One of the major difficulties that consulting organizations often encounter is corporate culture in Vietnam. Many organizations have poor work habits that fail to follow procedures, and this completely contradicts the spirit of international security standards. For example, employees may share passwords freely, or use unlicensed software without thinking about security risks. In a report from Bkav on the cyber security situation in Vietnam in 2022, up to 14% of users still choose to install software from unofficial sources, and 21% of users are not in the habit of checking for viruses before opening files from the Internet.
Consultancies frequently have to take on the role of “security police” in these circumstances, reminding and training staff members on the significance of complying to security processes.
1.4. Budget and expense
Complying with security standards is not a small investment. Companies must invest in processes and human resources in addition to technology to comply with standards and regulations like PCI DSS, ISO 27001, GDPR, etc. However, many Vietnamese companies still view security as a “luxury item” and are unwilling to make the necessary investments. This causes consultants to often have to “race” against the limited budgets in an effort to identify the best possible solutions using their available resources.
1.5. Unexpected incidents
No matter how well they plan, consultants always face unexpected situations when implementing international security standards in Vietnam. It could be a few uncooperative employees or an outdated and incompatible system. Consultants need to be experienced, adaptable, and even “creative” in order to handle these situations because they must find ways to overcome unpredictable roadblocks.
1.6. Stakeholder pressure
Pressure from partners and customers is another problem that Vietnamese companies and organizations frequently face. As the world grows more interconnected, business partners often require compliance with international security standards as a condition of cooperation. This poses a major challenge, as businesses must meet security requirements not only to protect themselves but also to maintain business relationships. Businesses may prioritize maintaining business relationships over information security and data safety, resulting in a pursuit of “certification” over “compliance”.
1.7. Standards updates
International security standards are constantly updated and changed to reflect new threats. Two widely used security standards in Vietnam, PCI DSS and ISO/IEC 27001, have received updates to their latest versions in 2023–2024. This increases the complexity of compliance since organizations and businesses must update their expertise and adjust their systems on a regular basis.
For example, the latest version of PCI DSS v4.0 has included many significant modifications that require businesses to have more advanced security measures in place, along with more resources and time for implementation.
1.8. Lack of leadership commitment
Leadership support is an important factor in determining the success of compliance with international security standards. However, consultants often face a lack of interest or even resistance from the business’s management. This often comes from their lack of understanding or their preference for other concerns over security. In these situations, it’s critical that at least one senior corporate executive take the initiative, make commitments, and provide the resources required to ensure the “compliant” ship docks securely.
1.9. Language and cultural barriers
Language and cultural barriers present a challenge that cannot be ignored. Since international security standards are frequently written in English, it is challenging to comprehend and apply them in Vietnam. It is common for customers to request companies and businesses provide Vietnamese translations of these standards. As the frequency of this practice grows, international standards as well as relevant documents and policies in the consulting process increasingly become familiar. Translating terminology that has no equivalent in Vietnamese and modifying policy documents to suit Vietnamese business culture is a big challenge for every consulting organization.
2. Strengths and advantages of a local consulting organization
As businesses in Vietnam are increasingly aware of the importance of complying with international security standards, the role of local consulting organizations becomes more important than ever. These organizations not only understand the local business environment, but also provide unique advantages in consulting and compliance certification for Vietnamese businesses.
2.1. Deep understanding of Vietnamese culture and business environment
One of the biggest advantages of local consulting organizations is their in-depth understanding of Vietnamese culture and business environment. We have a thorough understanding of Vietnamese business operations, including work processes, communication methods, and the specific challenges these companies encounter. This enables us to tailor solutions and consulting to fit the situation, which facilitates customer adoption and implementation.
2.2. Understanding of and closeness to customers
Employees at FPT IS understand Vietnamese culture and work practices, thus it goes without saying that they have close relationships with consumers. FPT IS consultants have been able to lower the language and cultural barriers that international consulting firms face by successfully communicating and delivering information. This facilitates the consulting and certification process, which makes our customers feel more comfortable and increases their level of trust.
2.3. Capacity to respond quickly and flexibly
Vietnamese consulting organizations have the ability to respond quickly and flexibly to customer requests and changes. With a thorough understanding of the local market and close relationships with businesses, they can quickly tailor services and solutions to meet customer needs. This is crucial in the dynamic corporate environment of today, when security standards are updated and upgraded on a regular basis.
2.4. Reasonable cost and efficiency
Local consulting firms also have the advantages of reasonable cost and efficiency. With knowledge of the domestic market, Vietnamese consulting organizations can provide consulting and certification services at competitive prices that fit the budgets of Vietnamese businesses. This holds particular significance for small and medium-sized enterprises, as they frequently have few resources but nevertheless need to maintain compliance with international security standards.
2.5. Contribution to the development of the industry
Finally, choosing local consulting organizations supports the growth of Vietnam’s cybersecurity and information security industry. When businesses trust and use the services of domestic consulting organizations, they are contributing to promoting the development of the industry, laying the groundwork for the establishment of many high-quality experts and consulting organizations in Vietnam.
Consulting and implementing international security standards in Vietnam is challenging but fascinating. The challenges that consulting organizations frequently face, from lack of understanding, lack of resources, to cultural barriers, all call for persistence, creativity, and problem-solving skills. However, compliance with these standards is essential to safeguard private data, enhance cybersecurity, and maintain customer and partner trust. In addition to providing a wealth of knowledge and experience, this industry also adds value to Vietnamese firms despite the numerous challenges that arise during the implementation process.
Exclusive article by FPT IS ExpertAuthor Ngo Thu Hong – PCI QSA, CISM, Lead Auditor ISO 27001 |