CRESTCon & IISP Congress 2016: What Role Do Ethics Play in Security?

Written by

“It’s not just about doing the right thing; it’s just as much not doing the wrong thing.”

These were the words of Toby Stevens, Director of Enterprise Privacy Group, speaking at the CRESTCon & IISP Congress 2016 in London this week, where he discussed the role that ethics play in privacy, exploring the importance for security professionals to act and work ‘ethically’.

“In the past we [IT security pros] were rarely asked to make ethical decisions, so it was pretty straightforward, certainly when I got into the IT security profession around 25 years ago,” Stevens said. “Ethics weren’t generally seen as a major issue.”

However, he said that today, any “entity, be it government or a company, that perceives a security threat and has unfettered power” to act upon it must have its own ethical framework.

“This is what we have to look out for – it’s this bit that matters, we need an ethical framework and I believe it’s our duty to create that.”

After all, “Anything we build, any capability we give ourselves, in the wrong hands, can actually prop up a database state and be used against the systems."

Stevens explained that defining what it considered to be ethical, especially in relation to information security, can be an intricate dilemma. Despite this, he argued it is imperative that security professionals tackle the issue head on by not only implementing clear sets of ethical codes that are visible for all to see and understand, but also to constantly be asking the question about what is right and wrong regarding the best interests of customers and the wider community.

“It is extraordinarily complex, for ethics to work they have to be transparent so that everyone knows what code we are following,” he said. “They have to be largely immutable – you can’t change them according to every situation. They’ve got to be predictable so that everyone knows the common outcome – that’s how you build trust, if everyone knows what’s going to happen and what the outcome will be.”

“Unless we have these codified and imbedded and recognized we will always as individuals get it wrong, even when we believe we’re doing the right thing.”

To draw attention to the day to day ethical quandaries that businesses often face, Stevens questioned, for example, whether it is ethical for a company to view the loss of customer data simply as “bad publicity” that will result in a fine. 

“If I lose the data of 50 of you, including your bank details, biometrics etc. and I say ‘That’s alright, I probably won’t get fined for that, I’d consider that to be low-risk for my organization’ is that ethically sound? Have I done a good thing?”

“It’s the ‘needs of the many; needs of the few’, how do we balance that in the handling of personal data?”

Stevens argued that if security professionals choose to share their learning, to marriage risk, to prevent incidents rather than just applying controls, it is very important to respect the privacy of others and remember whose data it really is. 

He added that “We have to remember that we are working for society and people, not just our employers, and to ensure that at the end of the day we are respected by society for what we do,” citing these as good starting points for working with a good ethical code.

As his presentation drew to a close, Stevens was asked whether security professionals, who are responsible for implementing regulations and controls, are the right ones to be considering ethics. In response Stevens said:

“We do have to do it. We are party to traffic, we are party to controls, we are party to requests from our employers. I think there are moments when we have to say ‘no that’s inappropriate and we should not have to do that’, or if you do want us to do it it has to be done transparently so that everyone understands that we don’t like what we’re being asked to do.”

The same questioner commented that security specialists juggling both ethical decisions and enforcing controls seems a little ‘Judge and Jury’, to which Stevens replied “No, I agree, and Judge and Jury can either get it very right or very wrong – I hope that with a framework we can make it go the right way.”

What’s hot on Infosecurity Magazine?