Corporate Social Responsibility: The Ethics of Managing Information Risk

Despite the obvious societal implications of security and privacy risks, most companies don’t consider them to be CSR issues today. That may change over time, as public and corporate awareness of the risks continues to expand. Already, some major technology companies include descriptions of how they manage security, privacy, and business continuity in their CSR reports (see sidebar). That trend may spread as companies in other industries add more technology-based products and services.

Consumer data protection is one area of information risk that is already widely treated as a CSR issue; it is even included in the International Standards Organization corporate social responsibility standard (ISO 26000). As Forrester Research analyst Heidi Shey put it, “It’s time to start thinking of protecting customer data as a corporate social responsibility, and not to check off boxes for compliance or a thing that must be done so you can avoid some nasty breach costs.” (Shey 2014).

In terms of the potential impact on society, security and privacy could be considered a digital extension of consumer safety, which companies have viewed as a CSR issue for many years. Furthermore, a quick review of the history of CSR shows that its scope has continually evolved and broadened to include new issues, typically as public awareness of those issues has increased. For example, it’s not so long ago that rivers and oceans were used not only as human sewage dumps but also as a convenient method for disposing of industrial waste; as late as 1969, one large river in Ohio was so polluted that it regularly caught fire. Yet today, discussions of environmental impacts are typical in CSR reports, and in the last few years have further evolved into a focus on climate change: in 2015, 82% of the world’s largest companies included data about carbon emissions in their reports (KPMG International 2015).

While early social-responsibility efforts were often philanthropic in nature (such as the funding for public libraries and education provided by Andrew Carnegie, founder of US Steel), corporate social responsibility reporting is now a mainstream business practice worldwide, undertaken by more than 90% of the world’s largest companies.

To continue the exploration of why I believe security and privacy is a matter of corporate social responsibility, here’s another quick historical perspective, this time examining the emergence of information risk in the context of technology’s evolution .

The third wave began in the 1960s, with early computers, but only really gained momentum in the 1990s. It includes the Internet and smart “things,” molecular biology and genetic engineering, and renewable energy. Arguably, this technology wave may have the broadest impact on society of any to date. Each previous wave lasted about 100 years, so history suggests that we are far from reaching the crest. If this wave was a movie, we’d still be watching the opening credits.

If the opportunities presented by this third wave of technology are unparalleled, so are the risks to society. As I’ve argued in earlier chapters, as technology has spread exponentially, so have the threats and their impacts, while security controls have progressed at a more linear, incremental rate. As a result, there’s a continually growing gap between the capabilities of the controls and the impact of exploits. If the impact of security breaches seems big now, consider what the impact will be in 10, 20, or 50 years, when technology is even more pervasive throughout society.

Let’s consider some of the potential impacts by reiterating two examples from Chapter  6. Last year, doctors for the first time inserted an artificial “eye” that enabled a blind person to see. The device is a retinal implant that receives signals from a video camera integrated into eyeglasses. Think ahead a few years, to a time when the implants are more sophisticated and can see in much higher resolution, and also include software to automatically interpret visual information, such as QR codes. Then imagine that a malicious actor creates a QR code that triggers the vision system to download malware. Like the PC malware that paralyzed Sony’s network in 2014, the malware then demands a ransom to re-enable the person’s vision. Now consider the example of a cement company that’s embedding sensors in the concrete mix used to build a new road, thus enabling local authorities to monitor traffic patterns and adjust signals to optimize the flow of vehicles. If the technology is not securely designed and implemented, all that a malicious person needs is the ability to execute malicious code, in order to falsify the traffic pattern in such a way that vehicles converge on the scene of a planned bomb attack.

Here’s example of a real-life attack that unfortunately has already occurred. Over a four-day period during November 2008, members of an Islamic militant organization carried out a series of 12 coordinated shooting and bombing attacks across Mumbai. The attacks killed 164 people and wounded at least 308. Of the funding that enabled the attack, $2 million was raised by cyber crime (Goodman 2015). Think about how cyber crime works. Typically, the cybercrime cycle starts with stealing someone’s identity by installing malicious code on a device or by taking advantage of insecure behavior. So ask yourself: If I don’t keep my systems up to date, if I don’t design and implement them well, and educate employees to ensure they are security-aware, am I indirectly contributing to terrorism? The answer is that you might be—although in most cases, you won’t even know it.

As I discussed in Chapter  6, four motivations account for the majority of serious exploits. Terrorism is one. The others are financial gain, warfare, and hacktivism. Each of these motivations can result in consequences with broad impacts across society: economic damage, loss of services, damage to morale, degradation of government services, and even human casualties.

As all companies become technology companies, the technology they create and deploy may be exposed to exploits with potential impact on society. The same applies, of course, to public-sector organizations . Even though this idea is becoming more widely accepted, I occasionally encounter people who don’t believe it applies to their organization. Recently, as I fielded questions after giving a talk, an audience member commented that she was on the board of a local school and definitely didn’t see the school as a technology organization. “Does your school have a web site that parents and kids can use to view and update information?” I asked. She said yes. Then I asked “Does your school have an app that lets parents check whether their kids attend class?” No, she said, but the school was considering it. “Let’s imagine you have a web site that’s not well designed, and a malicious person decides to take advantage of that with a zero-day exploit,” I said. “He can compromise the site and the personal information of the parents and children that use it.” I added that if a school takes its technology to the next level by making an app available to parents or kids, it becomes even more clearly a technology supplier—and its security concerns now include product vulnerabilities. By the time I’d finished explaining, the audience member asked me if I could come and explain the issues to her board, which of course I agreed to do.

Here’s another school example, one that highlights the risks of failing to consider all the ethical implications : A Pennsylvania school district issued laptops to some 2,300 students, then remotely activated the laptops’ webcams—without informing the students—and used the webcams to secretly snap students at home, including in their bedrooms. Surveillance software on the laptops also tracked students’ chat logs and the web sites they visited, and then transmitted the data to servers, where school authorities reviewed and shared the information and in at least one case used it to discipline a student. Ultimately, the school district was forced to settle a class-action lawsuit that charged it had infringed on the students’ privacy rights (Bonus 2010).

The third wave of technology offers opportunities for all organizations. But as the opportunities increase, so does the obligation to use technology responsibly. If we don’t implement appropriate security and privacy protection, consumers won’t trust the technology. If they don’t trust the technology, they will be reluctant to use it. This could potentially affect any company that supplies technology, and impact the growth of the digital economy overall.

Unfortunately, the privacy and security breaches that have hit the headlines in recent years have weakened that trust. As a result, consumers’ trust in technology sank last year in 70 percent of countries surveyed worldwide, according to the Edelman Trust Barometer, a widely used indicator of trust in business and government. Worse, the rapid implementation of new technologies that are changing everyday life, “from food to fuel to finance,” emerged as a new factor depressing trust overall. “By a two-to-one margin, respondents in all nations feel the new developments in business are going too fast and there is not adequate testing,” the study concluded (Edelman 2015).

Top US regulators have urged companies to expand and clarify their privacy efforts. Federal Communications Commission chairman Tom Wheeler said Internet service providers have a responsibility to make sure personal data is held securely and that companies are transparent about the data that’s being captured. “There's no question that with connected devices, data is becoming today's currency, and we need to be aware of the impact of that on consumers,” added Federal Trade Commission Chairwoman Edith Ramirez, noting a recent Pew Research Center survey found that 47% of Americans lacked confidence that they understand what companies will do with their personal information, and had mixed feelings about whether or not to share it (Hamblen 2016). The weakening of trust is a dangerous trend. Breaking someone’s trust is like crumpling up a perfect piece of paper: you can work to smooth it over, but it will never be the same again.

All organizations inevitably experience security and privacy issues. The question is how we respond to them. We can manage them in way that focuses on limiting our liability, or we can focus on doing the right thing for those who may be impacted. I recently participated in a peer group discussion that evolved into an intense debate on this very issue. The discussion was prompted by the major breaches that occurred in 2014 and 2015; as a group, we discussed how we might jointly develop the concept of a “minimum standard of care” for security and privacy. Some people wanted to focus on limiting corporate liability for a breach. I believed that was the wrong goal, and argued that the primary focus should be on protecting our customers. My reasoning was that if we protected our customers, we would limit our liability as a natural consequence. But if we focused only on limiting liability, we would likely fail to take the necessary steps to protect our customers. Furthermore, I believed that the lens we chose to view the problem with would bias strategy and outcomes over the long term. A liability-focused standard would inevitably cause us to direct our efforts into seeking ways to limit our responsibility for the technology we create and manage. But if the standard focused on protecting the people who might be impacted, we would direct our efforts to thinking about how best to prevent, detect, and respond to risks.

Some professions, such as certified public accountants and doctors, have ethical standards that may require them in some cases to break ranks with their organizations, such as if they see signs of illegal activities or financial manipulation. We expect doctors to be personally accountable for decisions that affect the lives of their patients, rather than simply deflecting responsibility for health decisions onto someone else within the organization. If CPAs or doctors fail to meet these professional and ethical standards , they may lose their ability to practice.

Although there are many professional certifications for security and privacy professionals, there’s currently no equivalent to these medical or legal qualifications. Security and privacy managers are not automatically barred from practicing their trade if they fail to meet professional standards. However, we should all assume a similar level of personal accountability for our decisions—especially since our actions may have broader implications for society. Regrettably, not all of us do. Some security and privacy managers see their role as simply managing a risk register: they identify the risks, and perform the analysis and associated cost estimates, but then they take the register to other executives who then make the decisions. By doing so, they are abdicating responsibility and deflecting accountability onto someone else.

As the senior security and privacy professional within the organization, CSPOs should share responsibility for information risk decisions equally with the other corporate executives and the board. People are often told that they need to “think like an owner;” we need to act like an owner too. And ultimately, we need to think about our responsibility to all the people we work for—including customers and anyone else in society impacted by our actions—as well as our responsibility to the executives we report to. If you don’t think your manager is right, think hard about the possible consequences of not speaking out and where your responsibility ultimately lies.

The recent events at automakers have shown all too clearly what can happen when corporate culture produces a system in which professionals are driven to behave unethically in order to meet business goals, or fail to take responsibility for their actions, while senior executives apparently remain ignorant. In the Volkswagen emissions-testing scandal, engineers included software specifically to deceive test equipment so that cars could meet the emissions targets required for sale in the US. An investigation into General Motors ignition-switch problems that caused at least 13 deaths described the “GM Salute,” in which employees sat in meetings, with their arms folded and pointing outward at others, as if to say that the responsibility lay with those other people, not with the employees (Maynard 2014). At both automakers, top executives said they were unaware of the actions of the lower-ranking employees who were directly involved in the issues.

In our daily lives, we encounter many situations in which we need not only to decide on the right course of action, but also to take responsibility for voicing our opinions so that they are considered by the company as a whole. Suppose that a business manager is proposing an action that’s legal but conflicts with our security values and approach to protecting customers’ information. Or imagine that implementing the right level of protection risks the target dates for a critical product launch. Or that failing to tell customers or suppliers about a potential vulnerability becomes the equivalent of a lie.

In the book Giving Voice to Values, author and educator Mary Gentile discusses the ethical dilemmas that many people face in businesses today. Her assumption, as she observes in the book, is that “in many if not most of the managerial and financial misbehaviors we have seen in the past, there were enough people who recognized the lapses in ethics and judgment to have stopped them. The problem was that they did not believe it was possible to do so.” Gentile then focuses on providing techniques to help people voice their concerns and take action at “those times and situations when we believe we know what is right and want to do it, but we experience external pressures—from our boss, our colleagues, our customers—to do otherwise. As a result, we are not sure how to raise our concerns.”

The challenges described in Giving Voice to Values probably seem familiar to many of us who are responsible for managing information risk (see sidebar article). First, how do we decide what is the ethical course of action? Then, how do we take action by voicing our opinions when it really matters?

One starting point is to define the organization’s critical security and privacy principles, which then can serve to guide our decisions. These principles should be derived from the organization’s corporate values. For example, a company that prioritizes customer service should also be committed to protecting customer information, and therefore its critical principles should include privacy by design.

We then need to think about how to focus the company on those principles: how we create the right language to express the principles to others, and how we enroll our organizations in principle-based decision making. We need to make security and privacy clearly visible in the decision-making process, not just within the information security organization but across the entire organization. That sends a message to everyone, including customers as well as people within the organization, that security and privacy are corporate priorities. By demonstrating our commitment to these principles, we can create trust in our organization and its technology.

As we progress through the third wave of technology, and our reliance on technology expands even further, so does the potential societal impact of security and privacy issues. Our professional and ethical responsibilities require that we hold ourselves accountable for doing what we know is right. This is true today, and will be even more so in the future. This means that we will have to take career risks to make sure that security and privacy are appropriately handled within the organization, including ensuring that issues are discussed at board level. I’ll discuss how to do this in more detail in the next chapter on the 21st Century CISO.