collaboration post made with the great Edy Gtz

Imagine you’re a super awesome hacker who can access any network, bank account, database and security system in the world. You have so much power in your hands and you can do anything you want with it. What would you doLets just say you’re the Robin Hood kind of guy, you take from the rich and powerful and give to the poor and weak. You take money from the bank account of celebrities and big companies and give it to poor countries or communities that have nothing to eat. You also disclose all of the secret information of all the governments to the public because transparency and freedom of information, right?

giphy

You are the savior of the people, the vox populi, the hero, the nightmare of evil… or so you thought, but the money you gave to the poor was not used for food but on drugs and the information you disclosed was used by terrorist organizations to make a more organized attack or you just started World War III. You’re not looking so good now aren’t cha? Or maybe you’re just the Tyler Durden kind of guy and you go straight to WW3 without the poor people part, are your action good, bad, maybe both just to be safe?

Ok, maybe we went a little bit too far with this example so let’s just put a real life one because we know you love them. You’re the chief of IT security within an organization and your job is that unwanted people don’t get in and confidential information doesn’t go out and you can do anything to achieve this (within the legal boundaries). The easiest way to keep information from going out is to spy on worker’s emails and key logs. Would you do it knowing that there are other ways to achieve the same that may take some extra work? The decision is entirely up to you and workers know their mails may be spied on, but does consent mean your action are good? When does the line between privacy and security meet?

Another example will be the case of Edward Snowden disclosing NSA’s classified information. He is portrayed by some as hero and by others as a traitor. He gave this information to some American journalist because he thought that the people should know they were being spied on, heavily compromising the security of the people he wanted to inform, oh the irony… Were his actions good or bad? I can hear kantians and utilitarians fighting in the distance.

This blog post brings a lot of question, not much answers, but many real and hypothetical examples. The nature of this is that we are dealing with ethics. The purpose of ethics (or at least how we see it) is to find that each individual can answer these questions by themselves.

Every day security managers need to deal with difficult decisions that involve may strong ethical conflicts. This has created the need on companies to instruct people with this job positions with a courses and numerous exams on ethics. The need to to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources.

Some recommended practices found in many companies and organisations are these:

  • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
  • Promote generally accepted information security current best practices and standards;
  • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
  • Discharge professional responsibilities with diligence and honesty;
  • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of or is detrimental to employers, the information security profession, or the Association; and
  • Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers.

It’s a tough job and no matter how well prepare you are for this profession, there’ll always be situations that requieres difficult decision making. At the end the best thing to do is maintain a set of high values and ethics to get the better possible solution .