cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Champion

Teaching ethics?

Well, we've talked about mispeling ethical principals, and the ethics of protests, but the New York Times has an interesting opinion piece on the need for ethics in technology companies at large.


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
3 Replies
Community Champion

Re: Teaching ethics?

Let’s face it --- while CISSPs are bound to hold up the code of ethics, they aren’t always enforced to do so by legal organizations, and so their boundaries will vary with the environment.


An example: Jack is a CISSP, holding an executive position in a business-driven organization that offers IT Solutions & Services. Should Jack want to veto or implement any major process, the final decision falls to a board of directors. When presenting business cases with a cost-benefit and risk analysis, he has to keep in mind that the directors won't consider morality in place of money.


Assuming he can link his cases to other factors that impact the business --- say, legal implications --- he might get heads to turn; otherwise, no.


If he's too strong an advocate of ethics & it doesn't appeal to the directors, they may decide to let him go, & should this happen, there’s no guarantee he’ll be able to find a new post with equal / higher benefits.


Of course, he’ll probably have better luck if he's employed by (ISC)2 

 

Before you ask to what level I stand up for ethics in my organization, let me tell you that it's in KSA...  Man Wink

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Community Champion

Re: Teaching ethics?

> Shannon (Contributor II) posted a new reply in Industry News on 10-22-2018 09:02 PM in the (ISC)² Community :

> Let’s face it --- while CISSPs are bound to hold up the code of ethics,
> they aren’t always enforced to do so by legal organizations, and so their
> boundaries will vary with the environment.

You've probably all heard the "laws of combat" that float around. My favourite is
"Look unimportant: the enemy may be low on ammunition." As corollary, I
usually point out that one of the best ways not to become a target is not to be
evil. (I suppose I should reword that these days, since Google seems to be
departing from that mantra ...)

> An example: Jack is a CISSP,
> holding an executive position in a business-driven organization that
> offers IT Solutions & Services.

The biggest cause of IT problems is IT "solutions."

> Should Jack want to veto or implement any
> major process, the final decision falls to a board of directors.

We all know that ethics is definitely "top-down" in any enterprise. If you are
fighting senior management on ethical issues, it is time to quit. "Grassroots"
ethical change just does not seem to work (although there have been some isolated
cases recently that might give one hope).

>     Before you ask to what level I
> stand up for ethics in my organization, let me tell you that it's in
> KSA...

I rest my case ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I don't yet have a solution, but I have a new name for the
problem. - Ross A. Leo, CISSPforum, 20050712
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Community Champion

Re: Teaching ethics?

Google didn't fully retire that slogan, they simply dropped the 'don't', as it was considered too negative...*

 

For senior leadership fights on ethics one can look at the debacle in Yahoo:

 

https://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html

 

https://www.theguardian.com/technology/2017/mar/02/yahoo-boss-marissa-meyer-loses-millions-in-bonuse...

 

https://nypost.com/2017/11/08/marissa-mayer-testimony-i-dont-know-how-yahoo-hack-happened/

 

https://www.theguardian.com/books/2015/jan/05/marissa-mayer-and-fight-to-save-yahoo-review

 

https://www.bloomberg.com/features/2016-marissa-mayer-interview-issue/

 

https://www.ballardspahr.com/alertspublications/articles/2018-05-11-yahoo-data-breach.aspx

 

https://www.theregister.co.uk/2018/04/24/yahoo_fined_35m/

 

I realize that a lot of linkspam... so my take on it as a TL;DR is that the leadership was bent out of shape and didn't feel the Solyent Green required it's information to be protected, at least not having actual money spent on it. It's telling on a few fronts that a CEO would publicly signal that 130 hour work weeks are possible and can be managed (yes they are, they are not good and an ethical CEO probably wouldn't put the idea out there) , and frankly it will distort your moral compass, and you might start hallucinating), the head of legal took the fall for it and all that happened to the CEO was lost compensation, I do wonder if we will see more accountability in the world of GDPR and the FTC sharpening it's claws.

 

 

* I realize I may have used this line before, but jokes should be considered consumer durable for as long as you can get away with it due to ethical concerns about the heavy environmental impact of joke creation...