For information security threats such as phishing and data breaches, AMI has a variety of different security measures to reduce risks and impacts and manage firmware weaknesses.
Since its acquisition by HGGC in 2019, AMI (AMI Technology) has redefined its corporate governance structure by considering information security as its first priority. For information security threats such as phishing and data breaches, AMI has a variety of different security measures to reduce risks and impacts and manage firmware weaknesses, integrating comprehensive protection plans for enterprises and multinational branches.
Samuel Cure, AMI Chief Information Security Officer (CISO), said that as a firmware company, AMI adopts a unique governance structure based on "Zero Trust Architecture" (Zero Trust) as the company security principle.
"AMI uses the CISO to manage IT and data privacy, hence reversing the traditional organizational structure of the CIO and the CISO," continued Cure.
This is setting a precedent of changing the role of the CISO in other international companies. Leveraging this governance model ensures that security is a top priority for the company and that it is followed across all IT and data governance activities. This is very different from the traditional lack of a security-first model that most companies are struggling with today.
Data breaches are one of a company's biggest challenges when it comes to IT operations, and a data breach protection program (DLP program) relies on the best data classification and data flow to be effective. Samuel Cure said AMI has a dedicated data privacy office that reports directly to the CISO to ensure that security technology is aligned, and data flows are appropriately protected.
Bon Liaw, responsible for AMI's global cybersecurity, further explained, "Collaboration is the key to the success of an international company. Globalization is just as important as localization. To succeed under the global security governance structure, implement it in a local way, meet the needs of the local region, and provide a transparent channel for all people to participate and integrate smoothly in the governance structure."
Supply chain security is inseparable from firmware security
AMI is a firmware company. From a product point of view, the target of information security threats is firmware weaknesses, and AMI has a complete product vulnerability management lifecycle and a globalized PSIRT. AMI is always developing processes to integrate into the company's comprehensive protection plan, which the company hopes to extend to other security management structures in the future. Samuel Cure said that AMI continuously updates and patches weaknesses in its own products as identified by internal stakeholders, external testing, and third parties. AMI is also working with third parties to study the possibility of firmware security solutions as formalized compliance controls as precedence for cyber compliance and audit regulations.
Samuel Cure mentioned supply chain risks, and firmware security is the focus of global OEM/ODM vendors. AMI is working with government agencies and audit standards to define cross-border firmware security requirements and further develop global firmware security as a new audit and regulatory standard.
Communication from the Chief of Information Security
Taiwan currently requires listed OTOs to set up CISOs, and when asked how to communicate when there is a conflict between corporate profit orientation and security orientation, Samuel Cure believes that there are two parts to pay attention to.
"First, if the correct security management model is adopted, when the security incident occurs, the cost of remediation, such as manpower and material resources, may be more economical. If the safety design is well integrated with the company's operations, it is not only simpler to implement, but also more economical. Second, there is flexibility to choose information security solutions, not all of which are expensive, and some even do not cost anything." He stressed that adopting more security system solutions does not mean making the company safer; the real challenge is to change the processes and user habits, which determines the security strength of the enterprise.
Bon Liaw doesn't think Taiwan is a country with many mandatory regulations to enforce information security. "So, the key now is how to balance the situation to make the information security program effective." Enterprises in other countries or regions have many structures or models for running information security governance for Taiwanese enterprises to refer to, and there is no need to start all over again."
For the AMI security strategy of the past three years, Samuel Cure emphasizes operational resilience. Under the assumption of "compromised," stress test your security plan to ensure that it provides adequate protection for your operations.
Bon Liaw pointed out that security is a constantly moving goal. Security policies will not have fixed content, and it needs to be constantly reviewed and updated according to the company's existing resources to ensure that the goal is correct. "It is not necessarily complicated, but necessary."