CyberJAGO Thoughts & Opinions

JAGO

Sharing a Pragmatic View of Cybersecurity

CISOs Ethical Challenges

In our line of work, we face multiple ethical challenges born of the voluminous amounts of information we oversee; the speed with which technological advances have evolved; and the ubiquitous role technology has assumed in today’s society.  Our proficiency with the very tools that bad actors use only complicates things further.

Our ethical choices can impact things as wide-ranging as the privacy of people’s sensitive data, the well-being of their bodies and property, and who we ultimately protect.  With new technologies emerging all the time, our judgments have the power to significantly affect the welfare of millions of people, so our responsibilities are enormous.

Now, there are always gray areas in these things.  You may have a situation that is legally permissible, but is borderline unethical or dubious.   There are also issues that can be open to debate, such as what constitutes “timely” disclosure or “ethical” hacking.  Consequently, conflicting views of how to act will emerge if we don’t have very concise, explicit guidance, and procedures to evaluate compliance.

I propose that we put together a consortium of security professionals to draft a code of conduct, looking, among other things, at cases that potentially carry jail time.  These professionals would outline what could be done to keep a CISO from reaching this dangerous point, and identify red flags.

Some of the certification bodies that we have today could be the vehicle for such a consortium. Most CISOs are certified.  They could use their membership to create a transparent, working group to conduct surveys and get buy-in from a broad population of CISOs, then draft a code and publish it for comment.

The group could also invite input from academics familiar with the issues of cybersecurity ethics, but I think it’s imperative that it largely be made up of professionals who are in the cybersecurity trenches day in and day out.  These are the people who are in position to understand ethical best practices and outline obligations and disaster response.

Such a code would put us in line with other professions such as medicine and law that have codes of ethics designed to instill robust principles of conduct meant to guide practitioners in discharging their responsibilities. Some high-profile lawsuits and criminally prosecuted cases against members of our profession have sparked a lot of talk recently about how CISOs have to watch their backs because now we’re exposed.  As a result, we now painfully understand it is not enough with just consulting with our organization’s general counsels; Legal’s mandate is to protect the organizations and themselves, not us.  To protect and mitigate from such occurrences, some people are starting to advise CISOs getting independent legal protection written into their contracts.

But as for us becoming targets, I maintain that following our moral compasses should be our lodestar.

I think a code of conduct is essential so standards of behavior don’t become a wedge issue in our community.

It is also essential so nobody can claim they didn’t know.

CyberJago

I am a senior executive with over 25 years in the information and cyber security space with a passionate focus on technology, strategy, market share expansion, sales growth, and merger & acquisitions. Formerly the Mexico Chief Information Security Officer for a top 20 Global Bank, I love to tinker and seek solutions to the challenges of technology, regulatory compliance, and Cyber risk.