I recall engaging into a conversation with a fellow security professional this year on the subject of where the CISO role should reside and to whom they should report. My opponent’s opinion was very much contrary to my own, vocalising the value of the CISO having full alignment with the main board and the company executive.
I, on the other hand, feel they (the CISO) should be far removed from any potential exposure, by implication of conflict of interest.
Here, I have a number of real life examples that I will elaborate upon later where operational security, compliance, and governance of the implicated companies were, at best compromised, and in the worst cases, resulted in culpable acts of criminality.
However, prior to presenting the shady side of operational life, I wish to focus on the landscape subject of the ethical challenges we as a society have encountered up to 2015 – at which point I will then underpin my argument to promote avoidance of any manifestations of osmosis between the membrane of robust and trusted security and that of the commercial aspirations of leadership of the organisation.
In order to achieve the required level of understating, we need first to appreciate the complexities and foibles of the homo sapien. First of all, unlike a robot, we as a biological units are not restricted by predefined logic, and thus in the norm, we enjoy a continuous state of reassessment to underpin our personal wellbeing.
Thus, in the area of self-served-interest of others, I have observed at close hand what I assess to be a realignment of focus of some who were seeking corporate self-survival – here exemplified by two case of two security executives at the potential cost of the organisations they were responsible to secure.
We should also accept that, like it or not, the human race can (and do) suffer from conditions of greed, corruption and culpable decisions that implicate the mass to the advantage of an individual, groups, or the organisation.
As we are all now aware, up to 2015, we have suffered an ever increasing state of adverse revelations originating from well-governed brands and organisations. For example:
- Insider trading
- The fixing of Libor
- The case of FIFA
- Abuse of positions of trust (e.g. The Coop Bank debacle)
- The use and abuse of insider knowledge in the highest house of government in the land, seeking to embarrass and destabilise an elected leader
When I move this conversation back to the importance of the segregated role of the CISO, using the aforementioned cases as a benchmark, I can align the disclosed events to some known occasions where the ethic got lost.
For example, consider the trusted automotive executive who abused their expenses system to the tune of £250,000 in one annual reporting period; the security consultants robbing the public purse by offsetting work against a cost centre number, when in fact no work was actually carried out – and this under the scrutiny of the head of the security practice.
But then moving up the stack toward the CISO position, which in one case, at a time of tension with their executive line management, saw the incumbent CISO actually attached a personal laptop to the corporate LAN, and downloaded sensitive data prior to them walking off site in a fit of tantrum – this really does bring the case of trust/ethic/segregation home to roost.
But then here we are encountering the human condition of the homo sapiens, which has been referred to above, seeking the higher ground of personal survival at any ethical cost. In fact, as amazing as it may seem, even after such untrustworthy acts, the CISO in question was actually allowed back to work upon resolving the said matter of conflict – they were of course very close to the main board, the executive and HR.
At the end of the day, the objective of the security professional must be to secure the enterprise, watch the people, and to avoid the opportunities for complicit engagements – and to ask the question: ‘Who watches the watchers?’
That said, it is worth remembering that, when it comes to human nature every high grade spy who has operated has enjoyed one important element – they enjoyed access to the source level of target materials as they were background checked, and security cleared to do so.
My ultimate conclusions must be that people will always be the weakest link – power corruption, and greed can sometimes overshadow the greater good, and with that knowledge, we need to defend our assets, trust and above all exercise a watchful eye and processes to avoid the contaminant conditions, which can corrupt and tarnish ethics and respectability.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock