Ethics 101 : Keeping Cyber on the Straight and Narrow

In cybersecurity, the good guys need to know the same malicious tricks the bad guys use in order to keep them at bay, so having a strong ethical foundation is core to keeping our people on the straight and narrow.

As CISOs, we have to provide that kind of leadership to our teams.

Obviously, we have to hold ourselves to the highest standards to set an example. We’re the ones who set the tone. But equally important, we have to clearly lay out what kind of behavior we expect from our employees so they know what type of conduct crosses the line. We don’t want skills misplaced in a way that compromises a company’s sensitive data.

To begin with, we all need to think about the common challenges cybersecurity professionals face because we have access to data ordinary individuals don’t. And then we have to figure out what good behavior looks like for our teams. That’s something that almost has to be defined by role because different rules would apply to different jobs.

We want to do our best to make sure the people we recruit share our ethical standards and can be trusted with the privileged information we’re assigned to protect. Having an ethical yardstick is especially important in a sector where there is a severe talent shortage and where people may not have honed their skills in settings that emphasized ethical conduct.

And because many cybersecurity professionals work from home, that risks deepening the temptation to conduct bad behavior since there’s no one around to see you taking that screen shot. During COVID-19, I am sure we all onboarded people that we never had a chance to meet in person probably until only recently. Being a culture carrier and instilling expected norms and ethics can be a challenge when done strictly remotely.

As you’re onboarding people, set clear expectations around your standards and the need to scrupulously follow policy. As CISO, you have to establish those guidelines and spell them out, because there are plenty of gray areas in cyber. Define clear rules of engagement for practices like penetration testing and red teaming, and once you’ve delineated the ethical challenges, figure out how you tie that to accountability.? You can still encourage people to challenge the norms and the policies in constructive ways that will benefit the entire organization.

Map out response and enforcement plans to handle inappropriate requests for access such as password requests that do not follow the established processes, work with your corporate counsel on handling specialized requests such as what if law enforcement requests access or to decrypt a device, and who makes the decision to engage law enforcement if there is an incident. There is no shortage of examples. Then make sure your employees are aware of policies, appropriately skilled and have the proper guidance.

Setting down an internal code of ethics shouldn’t stop at the onboarding stage, however. It’s an important process that can be continued through regular training sessions.

There’s no overarching regulatory body in cybersecurity, though some sectors, such as finance, are bound by regulatory requirements on cyber security expectations. But not every industry is regulated, so that’s a challenge.

Rules developed in-house can be codified through the company’s information security policy. Putting things down in black and white will go a long way to clarifying standards and courses of action.? Establish clear lines of communication and encourage open dialog, especially if a topic falls into a cyber grey area. This is the best way to surface and deal with the conflicting issues and challenges cyber professionals face.

Throughout our professional lives, we and our employees are liable to face the conflict between managing business expectations, managing risk, and running an effective security program to protect the company.

As CISOs, we have to convey that there is no question about which path to follow by establishing rock-solid, proper norms. It does not mean that this is easy. Just like attorneys maintain CLE’s in ethics, cyber ethics are equally important.

*Disclaimer: The views are solely those of David Cass