Last updated at Mon, 23 May 2022 20:56:11 GMT
Cybersecurity, like many other professions, has a code of ethics and professional conduct that’s expected of its practitioners. We are entrusted with the security and privacy of data, and we must behave ethically to prove to our organizations that we are worthy of doing so. Our guiding principles dictate that we do the right thing.
However, the cybersecurity landscape is not always a level playing field. Even the most ethical and highly technical cybersecurity teams cannot prevent the most determined attackers. At the same time, it’s important that cybersecurity leaders reinforce ethical practices in guarding against data loss.
Decisions, decisions
Ethical decision-making is about making the “right choice” as well as the reasoning behind those choices. Ethical issues are a daily occurrence in cybersecurity. Every organization that stores personal and sensitive data has a responsibility to ensure that ethics are interwoven throughout the company, as I like to say, “from the boardroom to the living room.”
Standards should exist in the organization that describe how to implement processes for ensuring ethical decision-making. In this way, organizations can demonstrate a concerted effort towards ethical decision-making, especially when assessing and accepting risk, or as a result of a data breach investigation.
Prevention
Indeed, prevention of a data breach is better than any possible unauthorized access to that data.
When considering how to strengthen their cybersecurity practices, many organizations struggle with the question of where to begin. In 2020, in addition to a pandemic, businesses across the world had to deal with a tidal wave of malware that featured 81 percent of all cyberattacks financially motivated by ransomware. The results of breach investigations repeatedly reveal a gap in access control (i.e., weak and stolen credentials) or application and system vulnerabilities (i.e., software misconfigurations, patching deficits, etc.), just to name a few.
The recommendation is almost always to strengthen cybersecurity “basics.” In my opinion, however, “basics” can make it sound easy, which it’s not. I prefer to articulate them as foundational components of a cybersecurity practice.
These foundational elements can be found in cybersecurity frameworks such as NIST Special Publication 800-53, which is considered a gold standard in the cybersecurity industry. The list of controls support the development of secure and resilient information systems to maintain confidentiality, integrity, and availability of an organization’s data. In addition, NIST SP 800-53 introduces the concept of baselines as a starting point for developing secure organizational infrastructure, including mobile and cloud computing, insider threats, application security requirements, and supply chain security standards.
The security team cannot do this alone — it requires collaboration, cooperation, and execution across the organization. “Secure from the start” should be an organic component of the organization’s culture, and decision-makers need to support the security team ethically and financially, and foster accountability in order for security to be successful.
Response
While being locked down to ransomware or suffering data loss as the result of a breach is never the intention, it does happen. And, ethics are a key component of the decisions made once an incident comes to light. Having an incident response plan in place and tested prior to an actual incident occurring will naturally guide ethical decision-making and related communications.
As with any other cybersecurity decision, paying ransom should be a risk-based decision. As CISOs, it’s our responsibility to engage with the business leaders and help them arrive at the best decision. We can proactively plan for the risk response so that when the storm is upon us — even in a ransomware crisis — the options are vetted to the best of our ability and there for the choosing. This is how we enable the business securely.
Surely payment can be viewed as empowering the cybercriminals to some degree. That’s why it’s better to invest in the company’s defenses rather than paying a ransomware gang that has no ethics.
