How are ethics playing out in information security? A new report has uncovered that 20% of personnel have witnessed a company hide or cover up a breach.
In an AlienVault survey, when asked what course of action is best when a company suffers as breach, a full 9% responded, “if nobody knows, just keep quiet.”
Two thirds of respondents would use a breach as an opportunity to convince the board or their executives to approve additional security budget, whilst a quarter would pay a fine and move on, accepting as a general part of business. Six point six percent stated they would gladly brag to the media about how their security advice that could have prevented the breach was not listened to.
“This provides an interesting perspective into the mechanics of most organizations,” said Javvad Malik, security advocate at AlienVault. “Despite the raised profile of security, it still takes an incident to obtain budgets and raise security. The inability of security professionals to communicate up the business chain is a well-discussed issue and relying on breaches to raise visibility to the board shows that it is not changing anytime soon.”
Also, the survey found that most believe that the chief information security officer should be ultimately accountable for a breach—if the breach does indeed come to light.
Over half of security professionals utilize hacker forums or associate with blacklist to keep abreast of the latest threats and technologies.
In many ways information security as a profession emerged out from the hacking scene that introduced new activities into the mainstream, which subsequently led legal practitioners to create new laws and acts to distinguish what activities are acceptable, the report noted.
“Visiting black hat forums or associating with people engaged in activities that may not always be completely legal depending on where and how this is carried out,” said Malik. “Although some companies and security memberships explicitly forbid such interactions—we found over half of respondents relied on black hat sources to improve their security knowledge.”
The report also examined breach responsibility: A breach at a company often degenerates into a blame-game of who should be held accountable.
Over a third of respondents in the survey (38.8%) believe the CISO should be the fall guy in the event of an incident occurring. At around the 25% mark, CEO, CIO and VP of IT were deemed to be equally accountable.
Interestingly, 10% of people believe auditors should be held accountable.
“Most organizations are coming round to the belief that along a long-enough time scale, a security incident or exposure in their product is inevitable,” Malik said. “Therefore, the culture should be one that accepts, fixes and moves along when they do occur. Otherwise security professionals will find themselves under more pressure to cut corners and bend rules in order to keep the show on the road.”
Overall there is clearly work to be done on the ethics front.
“Ethics and values are only meaningful when one can hold onto them at times where they are inconvenient to the individual,” said Malik. “Whilst we believe the information security industry is largely made up of ethical individuals, there is a significant amount of pressure they are subjected to owing to the spotlight they find themselves under every time a breach occurs.”