Information Security ... and Ethics
Prime example: The case of former State of Pennsylvania Chief Information Security Officer Robert Maley, who was recently fired after his appearance at RSA Conference 2010. His misdeed: He spoke without authorization about a recent Pennsylvania security incident.
Maley's only intention was to educate fellow professionals about adopting best practices to safeguard against such attacks. But he had been discouraged from speaking about this specific incident; like most security leaders, he was expected to take the safe approach and discuss mere concepts, not actual incidents.
What is wrong with being open? Why are such important discussions considered taboo and unethical?
After his dismissal, Maley appeared at the CSO Perspectives 2010 event, where he was to talk about application security. Yet, he went beyond the topic and started discussing what people really wanted to hear: the circumstances around his firing. Many, no doubt, question his ethics for airing private matters publicly.
But on both occasions, Maley acted in a most ethical manner. His job was to serve the citizens of Pennsylvania, and he did the right thing by talking publicly about the issues that, in his judgment, were worth discussing with the information security community.
Maley's firing definitely was not justified. He never put the state's data at risk when he talked about the security incident. He only wanted to be open and help educate fellow professionals from his experiences dealing with security threats and vulnerabilities.
What is wrong with being open? Why are such important discussions considered taboo and unethical? When are we going to shed this "hush, hush" attitude and open ourselves to our community, so we can bring these issues to everyone's attention for shared learning - maybe come up with unified solutions to these problems?
It's not a matter of ethics, frankly, but education. It's time for senior leaders to realize that the only way we can overcome our greatest challenges is to talk openly about breaches and risks. We need to share our obstacles and solutions; need to find new answers to old questions.
But to still a voice such as Maley's, and to punish a leader who's looking to encourage more public/private sector information sharing, what's ethical about that?