I am starting to wonder if I have been in the industry of information security for too long now with 30 years under my belt. I am equally wondering if my style and approach to doing the right thing with the application of ethical conduct is misplaced in 2014. Lastly, I am also starting to wonder if I must evolve and change to align with what seems to be a growing industry norm.
First off, even in my early years in the industry, I was offered multiples of what we may refer to here as ‘brown envelopes.’ I never accepted them, while others in key positions at my employer at the time who did, were caught and subsequently dismissed.
In 2014, this element of skulduggery again raised its head when I was asked to visit an automobile manufacturer of all terrain vehicles, with a view to providing the company with security and penetration testing services. Meeting with the CISO, I was invited to the canteen for a discreet discussion where it was suggested that to win this business, there would be a requirement to supply some oil to the wheels – to the tune of 40 percent of the profits handed back in the form of one of those ‘brown envelopes.’
Now thought I was keen to win this business, I was also very much aware that to enter into such a contract was not only dishonourable, but could well impact my personal liberty. Sometime later, I was again invited to attend a meeting with a view to being considered as part of the RFQ process, and here I was again reminded that there was a backdrop of a ‘consideration.’
Post that meeting, reflecting on the awareness of this situation, I was left with no alternative but to pull out, notwithstanding this was a business deal which was looking very lucrative. I guess here, my ethics got in the way of making money.
Again, when it comes to those cumbersome ethics of inter-organisational security actors, there can be a massive conflict of opinion where it may not be considered the right thing to speak out. Here, some organisations in the UK trading space see no problem with exposing their client base and partners to the potentials of cyber-crime and compromise.
For instance, when we look at the current push to deploy smart meters into homes, this has been placed very much on the back shelf when it comes to security, notwithstanding known security issues and vulnerabilities are in play. When it comes to protecting client confidentiality – and their sensitive information in the form of banking details – it would seem that there are no internal worries when they are exposed, as it is only the multiple thousands of employees, contractors and third-parties who have potential access to such sensitive assets.
As if it were not enough to dismiss the ethical code-of-conduct which should drive us to do the right thing as security professionals, these assets were available for easy download to any form of media one wished to introduce. Be that their own smartphones, USB key, or mass 20GB storage device, it mattered not as all such mediums were welcome to unfettered access.
All of this was was tolerated by the in-post CISO, his security managers and the host of multiples of security professionals. Thus, here the ethics were in place to of course, safeguard the integrity of the organisational reputation by keeping things under wraps, but they disregarded their exposed public, business partners, or the fact they were presenting the governance agencies with a falsified dashboard.
When it comes the information security industry, we should be going about our business with a level of ethics which are not misguided to such an extent where we are happy to allow insecurity and exposure to be tolerated. If however we do, then we are accepting that insecurity is the norm, and by inference accept that its onward impact on the economy, and its populous is okay.
If we are to believe that such an approach is sustainable and abiding by the code of organisations, such as the ISSA and ISACA, then maybe we need to think again. If we as professionals are to engage in such dishonest activities which seek to exploit those who are employing us, then we are no better than the rest – should such a person also be considered a criminal?
So, I started this conversation wondering if my own approach to security, along with the application of ethics is correct in 2014. While this may not be in ‘fashion’ or may not be held in high esteem by some, I stand by the fact that these qualities are part of what being a security professional stands for in 2014—and they are thus essential to the survival of our digital economy.
About the Author: John Walker is a Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), CTO and Company, Director of CSIRT, Cyber Forensics at Cytelligence Ltd., Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts,and is a Certified Forensic Investigation Professional.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.