Corporate Social Responsibility: The Ethics of Managing Information Risk
In the past year or so, we have passed a major inflection point; it has become clear that almost every powered device will compute, communicate, and have an IP address.
Be the change you wish to see in the world.
In the past year or so, we have passed a major inflection point; it has become clear that almost every powered device will compute, communicate, and have an IP address. As technology becomes embedded into the fabric of our lives, exploits that take advantage of technology vulnerabilities may increasingly impact the well-being of almost everyone in society. This makes it particularly important that we apply the right ethical values to shape the way we design, develop, and implement these technologies.
The past few years have seen an escalating cycle of risk, with correspondingly greater impacts for businesses and individuals. If that trajectory continues as technology becomes more pervasive, the implications for society could be catastrophic. This means we should all, as security professionals, contemplate our ethical responsibilities not only to the organizations we work for, the customers we serve, and the company’s shareholders, but also to society. To put it another way, I believe that information security and privacy are issues of corporate social responsibility.
Yet even as it becomes even more important to consistently apply an ethical approach to managing information risk, business demands and other challenges can make it increasingly difficult to do so. Companies’ continuous efforts to drive growth and accelerate time to market translate into demand for faster implementation of internal systems and new technology-based products. At the same time, implementing effective security and privacy is becoming more difficult due to a more complex threat landscape and the expanding, fragmented regulatory environment.
These factors result in increasing pressure on technology and business professionals to take risky short cuts. In some cases, there may be clear conflicts between business priorities, such as the deadline for launching a new product, and “doing the right thing” in security and privacy terms. There are also many gray areas in which the right course of action is not immediately clear; whether to expend resources on protection against a threat that’s still on the distant horizon, for example. I’ll explore these ethical dilemmas, and offer suggestions about how to find solutions to them, later in this chapter.
What is Corporate Social Responsibility?
Definitions of corporate social responsibility typically focus on the idea that companies look beyond their profits and legal obligations to their broader role in society. A common theme is that a company should take into account the social, ethical, and environmental effects of its activities on its employees and the community around it. Here are three definitions that summarize some of the key concepts:
“The notion of companies looking beyond profits to their role in society is generally termed corporate social responsibility (CSR)… It refers to a company linking itself with ethical values, transparency, employee relations, compliance with legal requirements, and overall respect for the communities in which they operate. It goes beyond the occasional community service action, however, as CSR is a corporate philosophy that drives strategic decision-making, partner selection, hiring practices, and, ultimately, brand development.” (McComb 2002)
“CSR is about businesses and other organizations going beyond the legal obligations to manage the impact they have on the environment and society. In particular, this could include how organizations interact with their employees, suppliers, customers, and the communities in which they operate, as well as the extent they attempt to protect the environment.” (Lea 2002)
“The continuing commitment by business to behave ethically and contribute to economic development while improving the quality of life of the workforce and their families as well as of the local community and society at large.” (World Business Council for Sustainable Development 2007)
The Expanding Scope of Corporate Social Responsibility
Despite the obvious societal implications of security and privacy risks, most companies don’t consider them to be CSR issues today. That may change over time, as public and corporate awareness of the risks continues to expand. Already, some major technology companies include descriptions of how they manage security, privacy, and business continuity in their CSR reports (see sidebar). That trend may spread as companies in other industries add more technology-based products and services.
Consumer data protection is one area of information risk that is already widely treated as a CSR issue; it is even included in the International Standards Organization corporate social responsibility standard (ISO 26000). As Forrester Research analyst Heidi Shey put it, “It’s time to start thinking of protecting customer data as a corporate social responsibility, and not to check off boxes for compliance or a thing that must be done so you can avoid some nasty breach costs.” (Shey 2014).
In terms of the potential impact on society, security and privacy could be considered a digital extension of consumer safety, which companies have viewed as a CSR issue for many years. Furthermore, a quick review of the history of CSR shows that its scope has continually evolved and broadened to include new issues, typically as public awareness of those issues has increased. For example, it’s not so long ago that rivers and oceans were used not only as human sewage dumps but also as a convenient method for disposing of industrial waste; as late as 1969, one large river in Ohio was so polluted that it regularly caught fire. Yet today, discussions of environmental impacts are typical in CSR reports, and in the last few years have further evolved into a focus on climate change: in 2015, 82% of the world’s largest companies included data about carbon emissions in their reports (KPMG International 2015).
While early social-responsibility efforts were often philanthropic in nature (such as the funding for public libraries and education provided by Andrew Carnegie, founder of US Steel), corporate social responsibility reporting is now a mainstream business practice worldwide, undertaken by more than 90% of the world’s largest companies.
Technology Companies That Treat Information Risk As CSR
Some large technology companies—including Cisco, Microsoft, and Intel—already position information risk areas such as security, privacy, and business continuity as corporate social responsibility items, and discuss them in their CSR reports. While the reports devote space to the companies’ achievements, they also describe corporate positions and principles on key issues such as data protection and transparency. Cisco’s 2015 CSR report, for example, notes the company’s commitment to produce a twice-yearly transparency report that includes data requests or demands for customer data received from law enforcement and national security agencies around the world (Cisco 2015).
Apple CEO Tim Cook has also spoken out about his company’s commitment to privacy and security, particularly when protecting user data. In a letter published on the company’s web site, he said: “We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your e-mail or your messages to get information to market to you.” Cook has argued vociferously that government should not have “back door” access to systems in order to thwart terrorism. “The reality is if you put a back door in, that back door's for everybody, for good guys and bad guys,” he said on CBS’ 60 Minutes (Rose 2015). "I don't believe that the tradeoff here is privacy versus national security. I think that's an overly simplistic view....we should have both.”
The Evolution of Technology and Its Impact
To continue the exploration of why I believe security and privacy is a matter of corporate social responsibility, here’s another quick historical perspective, this time examining the emergence of information risk in the context of technology’s evolution .
The March of Technology
Version 1.0: 1760s
Version 2.0: 1860s
Version 3.0: 1990s
Steam and coal
Oil and gas
The third wave began in the 1960s, with early computers, but only really gained momentum in the 1990s. It includes the Internet and smart “things,” molecular biology and genetic engineering, and renewable energy. Arguably, this technology wave may have the broadest impact on society of any to date. Each previous wave lasted about 100 years, so history suggests that we are far from reaching the crest. If this wave was a movie, we’d still be watching the opening credits.
If the opportunities presented by this third wave of technology are unparalleled, so are the risks to society. As I’ve argued in earlier chapters, as technology has spread exponentially, so have the threats and their impacts, while security controls have progressed at a more linear, incremental rate. As a result, there’s a continually growing gap between the capabilities of the controls and the impact of exploits. If the impact of security breaches seems big now, consider what the impact will be in 10, 20, or 50 years, when technology is even more pervasive throughout society.
Let’s consider some of the potential impacts by reiterating two examples from Chapter 6. Last year, doctors for the first time inserted an artificial “eye” that enabled a blind person to see. The device is a retinal implant that receives signals from a video camera integrated into eyeglasses. Think ahead a few years, to a time when the implants are more sophisticated and can see in much higher resolution, and also include software to automatically interpret visual information, such as QR codes. Then imagine that a malicious actor creates a QR code that triggers the vision system to download malware. Like the PC malware that paralyzed Sony’s network in 2014, the malware then demands a ransom to re-enable the person’s vision. Now consider the example of a cement company that’s embedding sensors in the concrete mix used to build a new road, thus enabling local authorities to monitor traffic patterns and adjust signals to optimize the flow of vehicles. If the technology is not securely designed and implemented, all that a malicious person needs is the ability to execute malicious code, in order to falsify the traffic pattern in such a way that vehicles converge on the scene of a planned bomb attack.
Here’s example of a real-life attack that unfortunately has already occurred. Over a four-day period during November 2008, members of an Islamic militant organization carried out a series of 12 coordinated shooting and bombing attacks across Mumbai. The attacks killed 164 people and wounded at least 308. Of the funding that enabled the attack, $2 million was raised by cyber crime (Goodman 2015). Think about how cyber crime works. Typically, the cybercrime cycle starts with stealing someone’s identity by installing malicious code on a device or by taking advantage of insecure behavior. So ask yourself: If I don’t keep my systems up to date, if I don’t design and implement them well, and educate employees to ensure they are security-aware, am I indirectly contributing to terrorism? The answer is that you might be—although in most cases, you won’t even know it.
As I discussed in Chapter 6, four motivations account for the majority of serious exploits. Terrorism is one. The others are financial gain, warfare, and hacktivism. Each of these motivations can result in consequences with broad impacts across society: economic damage, loss of services, damage to morale, degradation of government services, and even human casualties.
As all companies become technology companies, the technology they create and deploy may be exposed to exploits with potential impact on society. The same applies, of course, to public-sector organizations . Even though this idea is becoming more widely accepted, I occasionally encounter people who don’t believe it applies to their organization. Recently, as I fielded questions after giving a talk, an audience member commented that she was on the board of a local school and definitely didn’t see the school as a technology organization. “Does your school have a web site that parents and kids can use to view and update information?” I asked. She said yes. Then I asked “Does your school have an app that lets parents check whether their kids attend class?” No, she said, but the school was considering it. “Let’s imagine you have a web site that’s not well designed, and a malicious person decides to take advantage of that with a zero-day exploit,” I said. “He can compromise the site and the personal information of the parents and children that use it.” I added that if a school takes its technology to the next level by making an app available to parents or kids, it becomes even more clearly a technology supplier—and its security concerns now include product vulnerabilities. By the time I’d finished explaining, the audience member asked me if I could come and explain the issues to her board, which of course I agreed to do.
Here’s another school example, one that highlights the risks of failing to consider all the ethical implications : A Pennsylvania school district issued laptops to some 2,300 students, then remotely activated the laptops’ webcams—without informing the students—and used the webcams to secretly snap students at home, including in their bedrooms. Surveillance software on the laptops also tracked students’ chat logs and the web sites they visited, and then transmitted the data to servers, where school authorities reviewed and shared the information and in at least one case used it to discipline a student. Ultimately, the school district was forced to settle a class-action lawsuit that charged it had infringed on the students’ privacy rights (Bonus 2010).
Maintaining Society’s Trust
The third wave of technology offers opportunities for all organizations. But as the opportunities increase, so does the obligation to use technology responsibly. If we don’t implement appropriate security and privacy protection, consumers won’t trust the technology. If they don’t trust the technology, they will be reluctant to use it. This could potentially affect any company that supplies technology, and impact the growth of the digital economy overall.
Unfortunately, the privacy and security breaches that have hit the headlines in recent years have weakened that trust. As a result, consumers’ trust in technology sank last year in 70 percent of countries surveyed worldwide, according to the Edelman Trust Barometer, a widely used indicator of trust in business and government. Worse, the rapid implementation of new technologies that are changing everyday life, “from food to fuel to finance,” emerged as a new factor depressing trust overall. “By a two-to-one margin, respondents in all nations feel the new developments in business are going too fast and there is not adequate testing,” the study concluded (Edelman 2015).
Top US regulators have urged companies to expand and clarify their privacy efforts. Federal Communications Commission chairman Tom Wheeler said Internet service providers have a responsibility to make sure personal data is held securely and that companies are transparent about the data that’s being captured. “There's no question that with connected devices, data is becoming today's currency, and we need to be aware of the impact of that on consumers,” added Federal Trade Commission Chairwoman Edith Ramirez, noting a recent Pew Research Center survey found that 47% of Americans lacked confidence that they understand what companies will do with their personal information, and had mixed feelings about whether or not to share it (Hamblen 2016). The weakening of trust is a dangerous trend. Breaking someone’s trust is like crumpling up a perfect piece of paper: you can work to smooth it over, but it will never be the same again.
All organizations inevitably experience security and privacy issues. The question is how we respond to them. We can manage them in way that focuses on limiting our liability, or we can focus on doing the right thing for those who may be impacted. I recently participated in a peer group discussion that evolved into an intense debate on this very issue. The discussion was prompted by the major breaches that occurred in 2014 and 2015; as a group, we discussed how we might jointly develop the concept of a “minimum standard of care” for security and privacy. Some people wanted to focus on limiting corporate liability for a breach. I believed that was the wrong goal, and argued that the primary focus should be on protecting our customers. My reasoning was that if we protected our customers, we would limit our liability as a natural consequence. But if we focused only on limiting liability, we would likely fail to take the necessary steps to protect our customers. Furthermore, I believed that the lens we chose to view the problem with would bias strategy and outcomes over the long term. A liability-focused standard would inevitably cause us to direct our efforts into seeking ways to limit our responsibility for the technology we create and manage. But if the standard focused on protecting the people who might be impacted, we would direct our efforts to thinking about how best to prevent, detect, and respond to risks.
The Ethics of Managing Information Risk
Some professions, such as certified public accountants and doctors, have ethical standards that may require them in some cases to break ranks with their organizations, such as if they see signs of illegal activities or financial manipulation. We expect doctors to be personally accountable for decisions that affect the lives of their patients, rather than simply deflecting responsibility for health decisions onto someone else within the organization. If CPAs or doctors fail to meet these professional and ethical standards , they may lose their ability to practice.
Although there are many professional certifications for security and privacy professionals, there’s currently no equivalent to these medical or legal qualifications. Security and privacy managers are not automatically barred from practicing their trade if they fail to meet professional standards. However, we should all assume a similar level of personal accountability for our decisions—especially since our actions may have broader implications for society. Regrettably, not all of us do. Some security and privacy managers see their role as simply managing a risk register: they identify the risks, and perform the analysis and associated cost estimates, but then they take the register to other executives who then make the decisions. By doing so, they are abdicating responsibility and deflecting accountability onto someone else.
As the senior security and privacy professional within the organization, CSPOs should share responsibility for information risk decisions equally with the other corporate executives and the board. People are often told that they need to “think like an owner;” we need to act like an owner too. And ultimately, we need to think about our responsibility to all the people we work for—including customers and anyone else in society impacted by our actions—as well as our responsibility to the executives we report to. If you don’t think your manager is right, think hard about the possible consequences of not speaking out and where your responsibility ultimately lies.
The recent events at automakers have shown all too clearly what can happen when corporate culture produces a system in which professionals are driven to behave unethically in order to meet business goals, or fail to take responsibility for their actions, while senior executives apparently remain ignorant. In the Volkswagen emissions-testing scandal, engineers included software specifically to deceive test equipment so that cars could meet the emissions targets required for sale in the US. An investigation into General Motors ignition-switch problems that caused at least 13 deaths described the “GM Salute,” in which employees sat in meetings, with their arms folded and pointing outward at others, as if to say that the responsibility lay with those other people, not with the employees (Maynard 2014). At both automakers, top executives said they were unaware of the actions of the lower-ranking employees who were directly involved in the issues.
In our daily lives, we encounter many situations in which we need not only to decide on the right course of action, but also to take responsibility for voicing our opinions so that they are considered by the company as a whole. Suppose that a business manager is proposing an action that’s legal but conflicts with our security values and approach to protecting customers’ information. Or imagine that implementing the right level of protection risks the target dates for a critical product launch. Or that failing to tell customers or suppliers about a potential vulnerability becomes the equivalent of a lie.
In the book Giving Voice to Values, author and educator Mary Gentile discusses the ethical dilemmas that many people face in businesses today. Her assumption, as she observes in the book, is that “in many if not most of the managerial and financial misbehaviors we have seen in the past, there were enough people who recognized the lapses in ethics and judgment to have stopped them. The problem was that they did not believe it was possible to do so.” Gentile then focuses on providing techniques to help people voice their concerns and take action at “those times and situations when we believe we know what is right and want to do it, but we experience external pressures—from our boss, our colleagues, our customers—to do otherwise. As a result, we are not sure how to raise our concerns.”
Disclosing Security Issues : A Tale of Two Companies
Questions about how to deal with the discovery and disclosure of security issues are likely to generate difficult ethical discussions for many companies. The following examples show how two companies dealt with security issues in very different ways.
In December 2015, networking vendor Juniper Networks disclosed that an internal code review had discovered “unauthorized code” in its firewall operating system that could allow hackers to gain administrative access and decrypt encrypted VPN traffic. The company said it had not received any reports of exploits using the vulnerability; it said it had released patches to fix the problem and urged customers to update their systems (Worrall 2015). This is a case in which a company appears to have managed a difficult issue well, in my opinion. It highlights the tough questions and discussions that companies face when managing potential security issues. How deeply do you test and review your code, knowing that the deeper you dig the more likely you are to find vulnerabilities? If you do find a problem, how do you handle it? Do you disclose it, quietly fix it, or even ignore it? Does your company have the right value structure to ensure that decisions reflect its responsibilities to customers and to society?
Now consider a contrasting example. In 2015, a vendor of dental practice-management software agreed to pay $250,000 to settle US Federal Trade Commission (FTC) charges that it falsely advertised the level of encryption it provided to protect patient data (Federal Trade Commission 2016). According to the FTC, the company spent two years touting its “encryption capabilities” for protecting patient information and meeting “data protection regulations”—yet at the time, it was well aware that its software didn’t provide the encryption required by HIPAA. It seems clear that a company that makes deceptive claims of this kind lacks a value structure capable of ensuring ethical security and privacy decisions.
The challenges described in Giving Voice to Values probably seem familiar to many of us who are responsible for managing information risk (see sidebar article). First, how do we decide what is the ethical course of action? Then, how do we take action by voicing our opinions when it really matters?
One starting point is to define the organization’s critical security and privacy principles, which then can serve to guide our decisions. These principles should be derived from the organization’s corporate values. For example, a company that prioritizes customer service should also be committed to protecting customer information, and therefore its critical principles should include privacy by design.
We then need to think about how to focus the company on those principles: how we create the right language to express the principles to others, and how we enroll our organizations in principle-based decision making. We need to make security and privacy clearly visible in the decision-making process, not just within the information security organization but across the entire organization. That sends a message to everyone, including customers as well as people within the organization, that security and privacy are corporate priorities. By demonstrating our commitment to these principles, we can create trust in our organization and its technology.
Sense: Are changes on the way that that could conflict with our security and privacy principles? What is the dilemma that we will face?
Interpret : Analyze the issue to determine the following: Can I make this decision? Which of our principles can guide my decision? Who do I need to talk to? What actions can I take, and what are the direct and indirect consequences of each?
Act : Will my action align with the organization’s best interests? What about the interests of our customers, and of society in general? Will my action or lack of action create embarrassment for the company? Is my action practical? Who should I tell?
As we progress through the third wave of technology, and our reliance on technology expands even further, so does the potential societal impact of security and privacy issues. Our professional and ethical responsibilities require that we hold ourselves accountable for doing what we know is right. This is true today, and will be even more so in the future. This means that we will have to take career risks to make sure that security and privacy are appropriately handled within the organization, including ensuring that issues are discussed at board level. I’ll discuss how to do this in more detail in the next chapter on the 21st Century CISO.