Published February 26, 2021 • By Reciprocity

Information security is a field that evolves rapidly, in large part due to the speed with which criminals devise new ways to infiltrate your data.

Perhaps it’s little surprise then, that in a realm where security professionals must study and use the same tactics as criminals, ethical principles can sometimes get blurry. Keep reading to learn why ethics is important to infosec, and how you can instill a strong ethical foundation at your company.

What defines ethics in information security?

Ethics can be defined as a moral code by which a person lives. For corporations, ethics can also include the framework you develop for what is or isn’t acceptable behavior within your organization. 

In computer security, cyber-ethics is what separates security personnel from the hackers. It’s the knowledge of right and wrong, and the ability to adhere to ethical principles while on the job. 

Simply put, actions that are technically compliant may not be in the best interest of the customer or the company, and security professionals need to be able to judge these matters accordingly. 

Why is ethics significant to information security?

The data targeted in cyber attacks is often personal and sensitive. Loss of that sensitive data can be potentially devastating for your customers, and it’s crucial that you have the full trust of the individuals you’ve hired to protect it. Cybersecurity professionals have access to the sensitive personal data they were hired to protect. So it’s imperative that employees in these fields have a strong sense of ethics and respect for the privacy of your customers. 

The field of information technology also expands and shifts so frequently that a strong ethical core is necessary to navigate it. It’s important that your staff can determine what’s in the best interest of your customers and the company as a whole. Specific scenarios that your employees might confront can sometimes be impossible to foresee, so a strong ethical core can be the foundation that lets employees act in those best interests even in difficult, unpredictable circumstances.

What are the ethical issues in cybersecurity?

Cybersecurity professionals need to know the same tricks used by their black hat counterparts. This means that a programmer should know how to—and therefore, be able to—copy credit card data, violate intellectual property agreements, steal trade secrets, and infiltrate medical records. The safety of your customers’ data is in their hands, and it’s your responsibility to recruit infosec staff who will not take advantage of their unique position within your company. 

Cybersecurity also has the potential to interrupt your regular business procedures. So-called ethical hacking and protective measures can cause inconveniences for your customers and other employees, and it’s important to schedule cybersecurity efforts in low-traffic periods. Some professionals may prefer to focus on the technical aspects of their job, but providing the service your customers require is as important as maintaining your security system. 

Many companies focus only on the technical abilities of a candidate for hire, but it’s not enough that your staff have knowledge of technology and hacking techniques. They must also demonstrate the ability to maintain their moral standards while processing customer data or handling other grey areas of data management and cybersecurity. 

What are the key principles in computer ethics?

The Association for Computing Machinery (ACM) has created a Code of Ethics and Professional Conduct for those who work in computer systems. This code includes:

1) General Ethical Principles: These ground rules detail honesty, respect for privacy issues and intellectual property rights, and refrain from discrimination and other potential forms of harm. 

2) Professional Responsibilities: This portion of the code refers to a professional’s responsibility to the field by performing the work to the best of his or her ability and maintaining a high level of competence. This category also mentions the increase of public awareness of their work and the ability to accept review when needed. 

3) Professional Leadership Principles: Computer science professionals are asked to work towards the public good, improve working life for their colleagues, and encourage other members of the field to learn and grow. 

These principles are merely suggestions, but they provide a good starting place for discussing ethics within the field. 

Are cybersecurity ethics and infosec ethics the same?

The terms “cybersecurity” and “infosec” have important distinctions, despite so many people using the two terms interchangeably. Infosec encompasses all information security, and includes physical data. Cybersecurity is electronic data only, and therefore is a subset of infosec. 

Cybersecurity professionals traditionally understand the “how” of data protection but not necessarily the “why.” Increasingly, however, these two forces are becoming inseparable. Ethics are crucial to both categories, and the ethical considerations in both areas are often similar. 

What are the risks of bad ethics or lapses in ethics of infosec?

Your reputation depends on customers’ faith in their data’s security. If a member of your infosec team is found to be careless or corrupt and a security breach occurs, your reputation could be severely damaged. This will result in the loss of present and future income and could sow distrust among your board members and investors. 

Depending on your field, these ethical lapses can also result in fines and other financial penalties. Banking and healthcare are particularly vulnerable, so be sure to know what is at stake and emphasize the importance of ethics to your staff. 

How can I train my CISO and employees to be ethical?

  • Personal codes of ethics can vary wildly from person to person, and no two staff members will have identical opinions on what constitutes bad behavior. Hence organizations need to define the ethical behavior they expect from employees, and hire only those people who are able to uphold those core moral standards. This especially true for your Chief Information Security Officer, who will need to provide ethical leadership to the rest of his or her team. 
  • Drafting a code of conduct for your employees can greatly aid in instilling ethics in your company. Regular training sessions and company meetings can also help foster a strong sense of ethics, and also a strong sense of community amongst your employees. 
  • Some associations attempt to standardize the ethical aspects of cybersecurity. Organizations like ISSA and SANS provide ethical accreditations for computer ethics, but while these programs can help, they are not recognized throughout all industries. Staff members who have taken these courses should still be vetted before they are hired. 

How can I imbue my organization’s culture with ethics?

  • Company ethics begin at the top. C-suite employees and board members need to model ethical behavior. By setting this example, your high-level employees can assure that staff members in all departments know what is expected of them. 
  • The penalties for moral breaches should be made known throughout your company, and enforced when ethical issues arise. 
  • A policy of openness and honesty with your investors and customers is also important. If something goes wrong—and sooner or later, something will—your organization should let affected parties know immediately along with a detailed plan for mitigating the effects and assuring it does not happen again. 

Supporting company ethics can be difficult when you’re drowning in spreadsheets. ZenGRC can help streamline your compliance efforts and free up more time to make sure your company is running smoothly. Schedule a demo today to learn how ZenGRC can help your organization develop a GRC solution that works for you.