What are some of the ethical principles that can be incorporated into a board’s infosec committee? This question came up when I was commenting on a post by Bob Zukis around the $26MM settlement SolarWinds entered into recently with shareholders with regard to their role in the supply chain attack and breach by APT29 that became public knowledge in December 2020 when FireEye published details of how they had been compromised by the attack on their third-party monitoring vendor. Details of the proposed settlement were included in their SEC 8-K filing for October. Funding this from the D&O (Directors and Officers) insurance is a subject for discussion another time. But the story immediately made me wonder what sort of “shoring up” of our guidance and governance for boards of directors can be accomplished at this point in time when cybersecurity is clearly and firmly on the agenda of boards and trustees everywhere.
Add to this the twin stories of the Sullivan v United States verdict of guilty and the Mudge whistleblower SEC filing and you have some quite powerful and engaging examples of ethics at work. It would be a shame to not leverage these discussions and contemporary musings by CISOs and non-CISOs about what all this might translate into for the evolution of infosec roles and responsibilities. Where is our collective ethical compass pointing at the moment and do we have a good handle on the concept? I don’t endeavor to answer such a question here, but I do intend to think about it out loud and see where it takes me.
To start, it’s handy to have a bit of a menu of ethical principles to begin such ruminations about which resonate with us and which feel like a stretch when applied to our particular work, industry and culture as these variables undoubtedly conspire to produce a wide range of answers and outcomes, agreements and disagreements. I just so happen to have such a list of some “try before you buy” ethical principles which were originally compiled in order to think about including some of them in a board committee that I started drafting a charter for this year. One can take an AI/ML ethical bias audit view on these principles if so desired, but on further reading and thinking I imagine that this constraint for the scope of this article is needlessly narrow. Each principle is followed by (my thoughts in italics).
- Fair / Impartial: Technology should include internal and external checks to ensure equitable application across all participants (easy to say, hard to enact)
- Accountable: Policies should be in place to determine who is held responsible for the decisions made or derived with the use of technology (especially hard to implement given already ambiguous ownership of breach reporting accountability)
- Robust / Reliable: Technology should produce consistent and accurate outputs, withstand errors, and recover quickly from unforeseen disruptions and misuse (easy to do and implement)
- Safe / Secure: Technology should be protected from risks that may cause individual and/or collective, physical, emotional, environmental, and/or digital harm (trivial with a simple list of harms, endless with an inclusive list of harms)
- Controlled: Technology end-users should be evaluated to ensure they are using it in the as-intended and non-harmful manner, with termination activated when misuses continuously occur (not impossible, but certainly a new area for surveys and audits of user behaviors)
- Private: User privacy should be respected, and data should not be used beyond its intended and stated use; users should be able to opt-in/out of sharing their data (GDPR principles cover a lot of this already, but data provenance and governance is not really mature enough to make this an immediately tenable or palatable business product or service [just think of Apple’s recent controls on user data privacy])
- Adaptable: Technology policies should be feedback-oriented (from both internal and external stakeholders), frequently reviewed, and updated (need AI/ML to be much less “black box” algos and training data sets for the review aspect here)
- Responsible: Technology should be created in a socially responsible manner, rooted in the moral and ethical standards of society, and with the goal of serving the common good (how to reconcile alignment of a western democratic post-modern definition of “common good” and morality with an autocratic pre-modern worldview?)
- Diverse: Technology should be created by diverse teams for a diverse target audience (should be doable despite our glass ceilings and non-diverse technology teams created thus far)
- Transparent / Explainable: Users should understand how their data is being used and how technology makes decisions; algorithms, attributes, and correlations should be auditable and open to inspection (most likely only happening with regulatory enforcement as “opt-in” seems without much intrinsic incentive)
- Valuable: Technology’s benefits (e.g., better quality, speed, safety, and/or price) should be evaluated in comparison to the potential misuses (technology is an amplifier, it will scale evil just as easily as it will scale non-evil outcomes)
- Collaborative: Technology standards should be discussed amongst industry-peers, government agencies, academia, standards associations, etc. to co-create ethical standards (fully hope to work with anyone and everyone on this core, shared and inclusive principle)
In the world of traditional business and finance, we already have a reasonably large body of canonical thinking and practice regarding ethics which seems to center globally around the concepts of anti-bribery, money laundering and (undue) government procurement influence. This list above, however, can be considered an extension of some of those principles and agreed norms for behavior as we set our bearings and (potentially) adopt a new ethical compass which takes into account the context of culture, care and other complexities of our modern world. An ethical compass that can point in more than one direction at a time and remain internally consistent and approachable.
Information Security, Cybersecurity, Information Governance and Electronic Discovery Management Consultant
2 年As much as I too appreciate the lists, the devil's advocate in me is concerned that longer lists mean well, but often set us up for failure by overwhelming the audience. There is no shortage of rules and lists, but even ten commandments from the highest authority is often willfully ignored by humans without sufficient consequences. So how do we simplify? Where can we look elsewhere for existing models that we can adopt or leverage to communicate and influence more effectively? Might we consider borrowing from the practice of medicine with nine principles? https://www.ama-assn.org/about/publications-newsletters/ama-principles-medical-ethics.
Managing Director @ CISOWise LLC | CISM, CISSP, CGEIT
2 年Something about the number 12 as a guiding light. 12 parts of the scout law (trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, reverent), 12 disciples, 12 days of Christmas.... So I like that you landed on 12 as a non-obvious number. What makes each of these 12 powerful is the story that can go behind them. ie: (1) When have you been challenged to render fairness and impartiality in information security? * What happens when the executive wants special exemptions (ie: admin access, bring their phone in the SCIF [yes I had that one once], personal use exceptions) * What happens when the top salesperson keeps posting inappropriate things on social media? [yes, friend had to deal with that one] I could continue on for (1) through 12, and I'm sure you could as well. Maybe you have the making of a book or a blog series here.
Cybersecurity Leader | Risk Advisor | Privacy Professional
2 年I wonder if we, as a profession, could aspire to what has been accomplished in Law? The prospect of being dis-barred is a tangible risk to any attorney who acts in an unethical manner. While the tenants are few and rather straight forward it does create a "higher power" to which attorneys must abide to beyond the immediate employer or client. It isn't perfect, but it has given rise to the credible sense that an attorney is a fiduciary. It would be a monumental shift to do this in security as well.