Cyber ethics is an area that can get uncomfortable for “security professionals.” Yes, it’s the “e” word – ethics, conduct, behaviors. That’s our job, right? What’s the problem?
Answer: It’s very hard, and it doesn’t help in winning friends and influencing people. While every security professional I know loves to talk with kids about not downloading copyrighted movies or not talking with strangers online, what about (legal) adult behaviors at work?
Unless someone is breaking the law (such as stealing money, engaging in child porn, etc) or bringing down an operational network, ethical conduct is a topic that many CSOs and CISOs I’ve met would rather not discuss. The tough question becomes: “Where do you draw the moral line?”
One nationally renowned colleague told me, “Don’t go there Dan. You can discuss cyber ethics for kids but not for adults. People don’t want you to preach at them.”
Many would rather talk about the latest worm, the upcoming RSA conference, an interesting SANS report, our latest return on security investment (ROSI) budget, or even our difficulties implementing patch management. There are dozens of reasons for this, but here are some of the frequently heard (but unspoken in public) excuses that security staff give when discussing some aspects of cyber ethics:
1) Not my job – A Department of the Interior Memo Stated, “Heads of Bureaus and Offices are responsible for ensuring monitoring and enforcement of this policy, as well as taking disciplinary action against violators." Leave it to HR or local supervisors to monitor legal behavioral problems.
2) It’s difficult to draw black and white lines around cyber ethics, and some of us have been accused of being on a “moral witch hunt.” For example: “Did she really cheat or lie? Maybe that e-mail didn’t cross the line.” -or- “That’s a personal matter.” Ok, so why does it keep taking up so much time at work?
3) Doesn’t get you promoted or catch the interest of senior business management. In fact, business areas would rather not discuss it either – unless forced to address a hostile work environment.
4) Too broad a topic. Tough to measure, tough to control, impossible to stop. I don’t want to know.
5) We have higher priorities, and bigger fish to fry. We need to stop cyber crime and protect sensitive information. Leave personal e-mails alone – unless someone is giving away company (or government) secrets or breaking the law.
6) Just block the bad stuff and move on. We don’t want any adverse morale (with an “e”) issues right now. Like you ever do?
7) For government staff only – the inappropriate use reports (on employees) could be subject to the Freedom of Information ACT (FOIA), so don’t produce them.
8) Guilt. Haven’t you ever crossed the line? Are you innocent? Ever done Christmas shopping at work or violated another work policy? Don’t go there ...
9) It’s been going on for too long. Why stop it now? Besides, no budget or staff to address it.
10) Keep us out of the papers. Don’t want a legal fight.
One note: if you’re a new security leader, you may wonder what I’m talking about. Perhaps you feel very strongly about prosecuting employees to the “fullest extent of the policy” that is possible. Yes, we all want to do the right thing, and this list of excuses may seem like the wrong thing. I agree, but you’re in for a cultural battle. Don't get me wrong. I think cyber ethics is critically important. We'll get the the impact of holding these attitudes in a later blog.
Typically, CISO’s don’t come to these seemingly pragmatic conclusions right away, but over time they get worn down and the above mentioned attitudes can set in. Many veteran security managers can tell a war story or two of how they tried to hammer cyber ethics (or whatever you call it) at some point over the years, only to be thwarted by executive leaders or HR personnel to “back off a bit and only send us the worst offenders.” Maybe ethical crackdowns happened after major embarrassing incidents, audits, or news stories, but the company culture took over a few years later and things reverted back.
Yes, most organizations have acceptable use policies, but everyone struggles to keep up with the latest fads and challenges like MySpace, YouTube, dating sites, etc. I believe we are starting to see the repercussions of a growing monster that most government and private sector organizations are not yet addressing – but soon will.
Want examples? How about the Foley scandal? We’ll look at that next time.