HackDig : Dig high-quality web security articles for hackers

Homo Sapiens and the Human Equation of Ethics

2015-10-02 07:20

I recall engaging into a conversation with a fellow security professional this year on the subject of where the CISO role should reside and to whom they should report. My opponent’s opinion was very much contrary to my own, vocalising the value of the CISO having full alignment with the Main Board and the Company Executive. I on the other hand feel they [the CISO] should be far removed from any potential exposure, by implication of conflict of interest. Here, I have a number of real life examples that I will elaborate upon later where operational security, compliance, and governance of the implicated companies were, at best compromised, and in the worst cases, resulted in culpable acts of criminality. However, prior to presenting the shady side of operational life, I wish to focus on the landscape subject of the ethical challenges we as a society have encountered up to 2015, at which point I will then underpin my argument to promote avoidance of any manifestations of osmosis between the membrane of robust and trusted security and that of the commercial aspirations of leadership of the organisation.

In order to achieve the required level of understating, we need first to appreciate the complexities and foibles of the homo sapien. First of all, unlike a robot, we as a biological units are not restricted by predefined logic, and thus in the norm, we enjoy a continuous state of reassessment to underpin our personal wellbeing. Thus, in the area of self-served-interest of others, I have observed at close hand what I assess to be a realignment of focus of some who were seeking corporate self-survival – here exemplified by two case of two security executives at the potential cost of the organisations they were responsible to secure. We should also accept that, like it or not, the human race can [and do] suffer from conditions of greed, corruption, and culpable decisions that implicate the mass to the advantage of an individual, groups, or the organisation.

As we are all now aware, up to 2015, we have suffered an ever increasing state of adverse revelations originating from well governed brands and organisations. For example:

  • Insider trading
  • The fixing of Libor
  • The case of FIFA
  • Abuse of positions of trust [e.g. The Coop Bank debacle]
  • The use and abuse of insider knowledge in the highest house of government in the land, seeking to embarrass, and destabilise an elected leader

However, notwithstanding the state of what represents an escalating disbelief which we seem to have encountered every week, the derisory acts of a global brand such as VW seem to have topped the stack.

If we are to balance the debate around where such a role as the CISO should reside and report to, the case of VW at a commercial level would seem to serve as a very good witness for the prosecution as to why the case for segregation should be upheld. For instance, in the case of the recent VW discoveries, we see a range of decisions that have been made to satisfy the company’s commercial interest. These decisions encompass, but are limited to, implanting commercially driven Trojan code to act as what almost amounts to an anti-forensics application. And let us not overlook the associated implications of knowingly contributing to the contamination levels of the atmosphere, casting to the wind the impact this could have on public health. In other words, here we see a truly global representation of what amounts to failures of controls, governance, compliance, corporate dishonesty, culpability, and the prospect of proven criminal acts being carried out by what was once a shining brand, now of course suffering tarnish.

When I move this conversation back to the importance of the segregated role of the CISO, using the aforementioned cases as a benchmark, I can align the disclosed events to some known occasions where the ethic got lost. For example, consider the trusted automotive executive who abused their expenses system to the tune of £250,000 in one annual reporting period, the security consultants robbing the public purse by offsetting work against a cost centre number, when in fact no work was actually carried out – and this under the scrutiny of the head of the security practice. But then moving up the stack toward the CISO position, which in one case, at a time of tension with their executive line management, saw the incumbent CISO actually attached a personal laptop to the corporate LAN, and downloaded sensitive data prior to them walking off site in a fit of tantrum. This really does bring the case of trust/ethic/segregation home to roost. But then here we are encountering the human condition of the homo sapiens which has been referred to above, seeking the higher ground of personal survival at any ethical cost. In fact, as amazing as it may seem, even after such untrustworthy acts, the CISO in question was actually allowed back to work upon resolving the said matter of conflict – they were of course very close to the Main Board, the Executive and HR!

The last area of all which I believe is in support of my case for the segregation argument relates to the loss/theft of a laptop containing 35,000 unencrypted account records from the premises of a third party agency. In this particular case both the Director of Assurance, and Audit, and the CISO were again very close to the Main Board/Executive, and the decision was taken, and agreed that it was not in the interest of the brand to report this matter to the Canary Warf owning located bank! In fact to take this organisation one step further toward the brink of dishonesty, given the cosiness of the concerned Director of Assurance, the tentacles of compromise even reached as far as altering the status of some selected audits to a shade of green-respectability – an action which was complicit with the Main Bard resident IT Director.

At the end of the day, the objective of the security professional must be to secure the enterprise, watch the people, and to avoid the opportunities for complicit engagements – and to ask the question ‘who watches the watchers?’ That said, it is worth remembering that, when it comes to human nature every high grade spy who has operated, has enjoyed one important element – they enjoyed access to the source level of target materials as they were background checked, and security cleared to do so!

My ultimate conclusions must be, people will always been the weakest link, power corrupts, and greed can sometime overshadow the greater good – and with that knowledge, we need to defend our assets, trust, and above all exercise a watchful eye and processes to avoid the contaminant conditions which can corrupt and tarnish ethics and respectability.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

Source: /EblB7bL7hEP/3~/ytiruces-fo-etats-eriwpirt/r~/moc.elgoog.yxorpdeef

“Homo Sapiens and the Human Equation of Ethics”0 Comments

Submit A Comment



Blog :

Verification Code: