Ethical Principles for Infosec
What are some of the ethical principles that can be incorporated into a board’s infosec committee? This question came up when I was commenting on a post by Bob Zukis around the $26MM settlement SolarWinds entered into recently with shareholders with regard to their role in the supply chain attack and breach by APT29 that became public knowledge in December 2020 when FireEye published details of how they had been compromised by the attack on their third-party monitoring vendor. Details of the proposed settlement were included in their SEC 8-K filing for October. Funding this from the D&O (Directors and Officers) insurance is a subject for discussion another time. But the story immediately made me wonder what sort of “shoring up” of our guidance and governance for boards of directors can be accomplished at this point in time when cybersecurity is clearly and firmly on the agenda of boards and trustees everywhere.
Add to this the twin stories of the Sullivan v United States verdict of guilty and the Mudge whistleblower SEC filing and you have some quite powerful and engaging examples of ethics at work. It would be a shame to not leverage these discussions and contemporary musings by CISOs and non-CISOs about what all this might translate into for the evolution of infosec roles and responsibilities. Where is our collective ethical compass pointing at the moment and do we have a good handle on the concept? I don’t endeavor to answer such a question here, but I do intend to think about it out loud and see where it takes me.
领英推荐
Where is our collective ethical compass pointing at the moment and do we have a good handle on the concept?
To start, it’s handy to have a bit of a menu of ethical principles to begin such ruminations about which resonate with us and which feel like a stretch when applied to our particular work, industry and culture as these variables undoubtedly conspire to produce a wide range of answers and outcomes, agreements and disagreements. I just so happen to have such a list of some “try before you buy” ethical principles which were originally compiled in order to think about including some of them in a board committee that I started drafting a charter for this year. One can take an AI/ML ethical bias audit view on these principles if so desired, but on further reading and thinking I imagine that this constraint for the scope of this article is needlessly narrow. Each principle is followed by (my thoughts in italics).
In the world of traditional business and finance, we already have a reasonably large body of canonical thinking and practice regarding ethics which seems to center globally around the concepts of anti-bribery, money laundering and (undue) government procurement influence. This list above, however, can be considered an extension of some of those principles and agreed norms for behavior as we set our bearings and (potentially) adopt a new ethical compass which takes into account the context of culture, care and other complexities of our modern world. An ethical compass that can point in more than one direction at a time and remain internally consistent and approachable.
CEO & President @ Russell Nomer Consulting & Music | Cybersecurity, eDiscovery, Information Governance, Songwriting and Producing
2 年As much as I too appreciate the lists, the devil's advocate in me is concerned that longer lists mean well, but often set us up for failure by overwhelming the audience. There is no shortage of rules and lists, but even ten commandments from the highest authority is often willfully ignored by humans without sufficient consequences. So how do we simplify? Where can we look elsewhere for existing models that we can adopt or leverage to communicate and influence more effectively? Might we consider borrowing from the practice of medicine with nine principles? https://www.ama-assn.org/about/publications-newsletters/ama-principles-medical-ethics.
Managing Director @ CISOWise LLC | CISM, CISSP, CGEIT
2 年Something about the number 12 as a guiding light. 12 parts of the scout law (trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, reverent), 12 disciples, 12 days of Christmas.... So I like that you landed on 12 as a non-obvious number. What makes each of these 12 powerful is the story that can go behind them. ie: (1) When have you been challenged to render fairness and impartiality in information security? * What happens when the executive wants special exemptions (ie: admin access, bring their phone in the SCIF [yes I had that one once], personal use exceptions) * What happens when the top salesperson keeps posting inappropriate things on social media? [yes, friend had to deal with that one] I could continue on for (1) through 12, and I'm sure you could as well. Maybe you have the making of a book or a blog series here.
Cybersecurity Leader | Risk Advisor | Privacy Professional
2 年I wonder if we, as a profession, could aspire to what has been accomplished in Law? The prospect of being dis-barred is a tangible risk to any attorney who acts in an unethical manner. While the tenants are few and rather straight forward it does create a "higher power" to which attorneys must abide to beyond the immediate employer or client. It isn't perfect, but it has given rise to the credible sense that an attorney is a fiduciary. It would be a monumental shift to do this in security as well.