> Shannon (Contributor II) posted a new reply in Industry News on 10-22-2018 09:02 PM in the (ISC)² Community :

> Let’s face it --- while CISSPs are bound to hold up the code of ethics,
> they aren’t always enforced to do so by legal organizations, and so their
> boundaries will vary with the environment.

You've probably all heard the "laws of combat" that float around. My favourite is
"Look unimportant: the enemy may be low on ammunition." As corollary, I
usually point out that one of the best ways not to become a target is not to be
evil. (I suppose I should reword that these days, since Google seems to be
departing from that mantra ...)

> An example: Jack is a CISSP,
> holding an executive position in a business-driven organization that
> offers IT Solutions & Services.

The biggest cause of IT problems is IT "solutions."

> Should Jack want to veto or implement any
> major process, the final decision falls to a board of directors.

We all know that ethics is definitely "top-down" in any enterprise. If you are
fighting senior management on ethical issues, it is time to quit. "Grassroots"
ethical change just does not seem to work (although there have been some isolated
cases recently that might give one hope).

>     Before you ask to what level I
> stand up for ethics in my organization, let me tell you that it's in
> KSA...

I rest my case ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I don't yet have a solution, but I have a new name for the
problem. - Ross A. Leo, CISSPforum, 20050712
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Google didn't fully retire that slogan, they simply dropped the 'don't', as it was considered too negative...*

 

For senior leadership fights on ethics one can look at the debacle in Yahoo:

 

https://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html

 

https://www.theguardian.com/technology/2017/mar/02/yahoo-boss-marissa-meyer-loses-millions-in-bonuse...

 

https://nypost.com/2017/11/08/marissa-mayer-testimony-i-dont-know-how-yahoo-hack-happened/

 

https://www.theguardian.com/books/2015/jan/05/marissa-mayer-and-fight-to-save-yahoo-review

 

https://www.bloomberg.com/features/2016-marissa-mayer-interview-issue/

 

https://www.ballardspahr.com/alertspublications/articles/2018-05-11-yahoo-data-breach.aspx

 

https://www.theregister.co.uk/2018/04/24/yahoo_fined_35m/

 

I realize that a lot of linkspam... so my take on it as a TL;DR is that the leadership was bent out of shape and didn't feel the Solyent Green required it's information to be protected, at least not having actual money spent on it. It's telling on a few fronts that a CEO would publicly signal that 130 hour work weeks are possible and can be managed (yes they are, they are not good and an ethical CEO probably wouldn't put the idea out there) , and frankly it will distort your moral compass, and you might start hallucinating), the head of legal took the fall for it and all that happened to the CEO was lost compensation, I do wonder if we will see more accountability in the world of GDPR and the FTC sharpening it's claws.

 

 

* I realize I may have used this line before, but jokes should be considered consumer durable for as long as you can get away with it due to ethical concerns about the heavy environmental impact of joke creation...