The Cybercratic Oath: Be The Change You Seek
Cyber Challenge 4: Do the right thing
I just read an article over lunch on the 'modern Hippocratic Oath' and I was struck by how work in cyber security seems one of the few industries that still lacks formally defined legislation to operate, responsibilities, and ethics to support these responsibilities. I was also struck by the fact that Hippocrates set out, around the 5th Century BCE, to establish a true profession for Doctors and maybe, that is what a cyber profession needs.
Here is a modern version of the Hippocratic Oath:
01 I swear to fulfil, to the best of my ability and judgment, this covenant:
02 I will apply, for the benefit of the sick, all measures [that] are required, avoiding those twin traps of overtreatment and therapeutic nihilism [fixing bad practices in business through cyber].
03 I will not be ashamed to say "I know not", nor will I fail to call in my colleagues when the skills of another are needed for a patient's recovery.
04 I will prevent disease whenever I can, for prevention is preferable to cure.
05 I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person's family and economic stability. My responsibility includes these related problems, if I am to care adequately for the sick.
06 I will remember that I remain a member of society, with special obligations to all my fellow human beings, those sound of mind and body as well as the infirm.
07 I will remember that there is art to medicine as well as science, and that warmth, sympathy, and understanding may outweigh the surgeon's knife or the chemist's drug.
08 I will respect the hard-won scientific gains of those physicians in whose steps I walk, and gladly share such knowledge as is mine with those who are to follow.
09 I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Most especially must I tread with care in matters of life and death. If it is given me to save a life, all thanks. But it may also be within my power to take a life; this awesome responsibility must be faced with great humbleness and awareness of my own frailty. Above all, I must not play at God.
10 If I do not violate this oath, may I enjoy life and art, respected while I live and remembered with affection thereafter. May I always act so as to preserve the finest traditions of my calling and may I long experience the joy of healing those who seek my help.
New recruits into cyber security are often placed in teams with more experienced colleagues where they can learn by example what they need to do to be cyber defenders. Cyber ethics must necessarily dictate the field of play when no one else is watching and encode how the individual should make the best choice for themselves.
Knowing how and when to report an event is often the catalyst for someone to stop and think about how they should ethically act. For the corporate cyber citizen this can range from tagging a potential phishing email right up to reporting someone's online behaviour. For the cyber professional these choices are often bigger than reporting an individual (such as when a data loss is detected) and can trigger large scale repercussions for businesses, that we trust will all have an action plan and communications plan. Cyber ethics remain at the top of the agenda when we study for the ISC2 CISSP exams as 'The Canon' here at ISC2 Code of Ethics
Code of Ethics Canons:
My circle of cyber professional friends have long been discussing cyber ethics. In the earliest days of what we have come to call Cyber Security young PFYs (cyber professionals) such as myself faced some tricky ethical conundrums in our day-to-day without a Code of Ethics Canon, by leaning on our own sense of right and wrong at an individual level. At the business level, larger scale deliveries have had cyber delivery and design principles such as 'make things no worse' to hel chart their course.
It is with this in mind I thought I'd offer a first cut version of a cybercratic professional oath for critique and comment:
01 I swear to fulfil, to the best of my ability and judgment, this covenant:
领英推荐
02 I will respect the hard-won gains of those cyber-defenders in whose steps I walk, and gladly share such knowledge as is mine with those who are to follow. I will document my activities to help train others and share my knowledge in order to grow the next generation]
03 I will apply, for the benefit of the organisation where I work and the industries they serve, all measures [that] are required, avoiding those twin traps of over specifying and trying to fix bad business practices through cyber.
04 I will remember that there is art to cyber security as well as science, and that people skills, persuasion and cyber-awareness may outweigh the radical cyber Reform.
05 I will not be ashamed to say "I know not", nor will I fail to call in my colleagues when the skills of another are needed to treat the cyber issues that my organisation faces.
06 I will respect the privacy of my organisation, for its problems are not disclosed to me that the world may know. Most especially must I tread with care in matters of high business or financial impact. Cyber security has the capacity to fundamentally change how we transact business so I will remember to never make things worse and to always seek to enable the business. Above all, I must not play at God, I must remember that we serve the organisations we work for and the industries they serve.
07 I will remember that I do not just treat security vulnerabilities but the outcomes of business choices driven by commercial pressures. My responsibility includes these related problems, if I am to provide the best cyber security advice.
08 I will prevent cyber security incidents whenever I can, for prevention is preferable to cure.
09 I will remember that I remain a member of the business I serve, with special obligations to all my fellow employees, including both good and bad cyber citizens.
10 By living this oath I hope to be respected and remembered with affection. May I always act so to promote the finest traditions within cyber security and that my cyber security work gives rise to respect from business colleagues and improves the business standing of the cyber security profession.
Please feel free to DM me or comment on changes / inclusions / updates you'd like to see in a cybercratic oath!
I’m writing a few articles in my spare time about #PeopleCentredCyber:
4.CyberChallenge4:DoingTheRightThing-TheCybercraticOath-BetheChangeThatYouSeek
and...
5.Coming soon:...CyberChallenge5:TeamCreation-BuildTheTeamYouNeed-BeTheChangeThatYouSeek
Talks About - Business Transformation, Organisational Change, Business Efficiency, Sales, Scalability & Growth
1 年Thanks for sharing this, Leon!
Infrastructure Analyst
1 年This is something I try and imbibe in the work I do. Medicine and technology are two sides of the same coin in many ways so a lot of the techniques and ideas are easily transferable. Something that is lost on the new generation of technology people.
Senior Cyber Architecture Leader | Technology and Cyber Strategy, Secure Multi-cloud, Identity
1 年"first, do no harm" was an interesting one - it is attributed to the ancient Greek physician Hippocrates, it isn't a part of the Hippocratic Oath though. It is actually from another of his works called 'Of the Epidemics'. But the body of work is driving more professionalism, higher standards, and improved public trust - rather similar to the cyber profession of today. I included 'dont make things worse' as a nod to this part of Hippocrates' body of work
If the only tool you have is a hammer, you'll see every problem as a nail.
1 年First do no harm.. A very good start !