What Do You Do When No One Is Watching?
The Internal and External Struggles of Ethics and the CISSP Credential
As Old As Mythology
All students of information security have heard of the Caesar cipher and the Spartan Scytale. These early encryption methods demonstrate the craftiness of the human mind. Encryption has evolved and become more sophisticated. Encryption has been instrumental in the advancement of society. Can you think of another ancient mental construct of humanity that has remained static, yet is no less important to the functioning of society? Let’s consider the topic of ethics.
The concept of ethics has existed since ancient times, and the subject is still applicable today, in all areas of life, and is codified as a requirement in many professions, such as the medical, legal, and financial professions. Information security also has a code of ethics, and adhering to that code can be as difficult as in any other area of life.
A simple definition of ethics can be stated as: Doing what is right even when no one is watching.
It is easy to think that ethics only applies to interpersonal interactions. After all, ethics usually involves how a person treats others. In the context of information security, ethics is just as important without direct human-to-human interaction.
Security is Hard, Ethical Behavior is Harder
Information security has often been compared to the old game of “Whac-A-Mole”, with the entire profession in reactive mode, rather than a proactive posture. Ethics, on the other hand, does not suffer the same problem. The static nature of ethics makes it deceptively uninteresting to many, but this is an oversimplification. Similar to information security, one cannot practice ethics 75% of the time and claim full compliance. The difficulty is that since machines are involved, rather than humans, some people do not understand the connection between the two.
Information security professionals have often been challenged with putting systems into production that violate various ethical standards. When one considers the sometimes illicit career trajectory of many information security professionals, this concept is brought into full focus. To some, including legitimate businesses who force a rush to market of unsecured products, there is no perceived ethical breach, as it is only a machine that is in question, not a person directly.
Of course, thanks to recent regulations, particularly those such as the General Data Protection Regulation (GDPR), the Health Information Portability and Accountability Act (HIPAA), and China’s Cybersecurity Act, the ethics of data privacy are no longer a question, they are mandatory.
Sins of Commission, Sins of Omission
While the new regulations have imposed fines for violators, there are still instances where failures to take ethical actions have resulted in penalties. Probably the most salient example of this was seen in the fine levied against the UCLA Health System for not protecting patient data, compounded by the fact that the records of two high-profile patients were viewed by unauthorized people at the facility.
Sometimes, an ethical violation is due to external circumstances, such as the unprotected data. Other times, the ethical violation stems from an internal conflict, such as the knowledge that just because personal data is available, it should not be viewed without proper authorization. The violation in the UCLA instance seems to straddle both sides of that line.
As an information security professional, you often will naturally access to very sensitive data as a normal part of your job responsibilities. In other cases, you have specialized abilities that enable you to find data that you may be unauthorized to view. This creates serious ethical predicaments. That is why a code of ethics for information security professionals is so important.
The (ISC)² Code of Ethics
Are you studying for the CISSP credential offered by (ISC)²?
One mandatory condition of membership is to attest to the code of ethics.
Not only will the statement of the code precede your exam, but you may also be presented with a few ethical questions as part of the examination process. At first glance, the canons seem fairly simple, however, in practice, one must keep these in mind more often than may be initially anticipated.
The code, as stated at https://www.isc2.org/ethics reads as follows (abbreviated here):
All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the "Code").
There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.
Code of Ethics Canons
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Of course, sometimes, ethics involves pesky dilemmas that go beyond simply doing the right thing. When one considers the “Trolley Dilemma”, this becomes clear. The trolley dilemma is presented in the following way:
“Picture this: you see a train steaming straight towards five people who are tied to the track. By your side, there's a lever that can divert the speeding train onto another track. However, on this second track, there is one person tied up.
Would you pull the level and actively kill someone to save the lives of five other people?”
This problem brings the subject to a much deeper discussion. When we think of all the new developments of artificial intelligence, and autonomous vehicles, this depth is required. Fortunately, these considerations are currently being explored, which further demonstrates that ethical concerns are still relevant, even in our modern society. A firm commitment to ethics is as important now as it was to our ancestors.
How The CISSP Credential Can Help You Succeed
Navigating the complexities of ethics can be a difficult task for any information security professional. However, those who hold the CISSP credential have a demonstrated and verified commitment to upholding ethical standards. When an organization needs specialized security abilities, they can rely on those who hold the CISSP designation for a wide breadth of knowledge and experience that is not limited to just information security.
The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those in the following positions: Director of Security, Security Systems Engineer, or Security Analyst.
(ISC)² was the first information security certifying body to meet the requirements of the American National Standards Institute (ANSI) ISO/IEC Standard 17024 and the CISSP certification has met Department of Defense (DoD) Directive 8570.1
Where can CISSP certification take you as a security professional? Check out the second installment of our new interview series featuring Jerome Leach, cyber officer in the U.S. Coast Guard Cyber Command.Read the Blog
To discover more about CISSP read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader.Read the White Paper