- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Why Security Staff Struggle Implementing Cyber Ethics
1) Not my job – A Department of the Interior Memo Stated, “Heads of Bureaus and Offices are responsible for ensuring monitoring and enforcement of this policy, as well as taking disciplinary action against violators." Leave it to HR or local supervisors to monitor legal behavioral problems.
2) It’s difficult to draw black and white lines around cyber ethics, and some of us have been accused of being on a “moral witch hunt.” For example: “Did she really cheat or lie? Maybe that e-mail didn’t cross the line.” -or- “That’s a personal matter.” Ok, so why does it keep taking up so much time at work?
3) Doesn’t get you promoted or catch the interest of senior business management. In fact, business areas would rather not discuss it either – unless forced to address a hostile work environment.
4) Too broad a topic. Tough to measure, tough to control, impossible to stop. I don’t want to know.
5) We have higher priorities, and bigger fish to fry. We need to stop cyber crime and protect sensitive information. Leave personal e-mails alone – unless someone is giving away company (or government) secrets or breaking the law.
6) Just block the bad stuff and move on. We don’t want any adverse morale (with an “e”) issues right now. Like you ever do?
7) For government staff only – the inappropriate use reports (on employees) could be subject to the Freedom of Information ACT (FOIA), so don’t produce them.
8) Guilt. Haven’t you ever crossed the line? Are you innocent? Ever done Christmas shopping at work or violated another work policy? Don’t go there ...
9) It’s been going on for too long. Why stop it now? Besides, no budget or staff to address it.
10) Keep us out of the papers. Don’t want a legal fight.
One note: if you’re a new security leader, you may wonder what I’m talking about. Perhaps you feel very strongly about prosecuting employees to the “fullest extent of the policy” that is possible. Yes, we all want to do the right thing, and this list of excuses may seem like the wrong thing. I agree, but you’re in for a cultural battle. Don't get me wrong. I think cyber ethics is critically important. We'll get the the impact of holding these attitudes in a later blog.
Typically, CISO’s don’t come to these seemingly pragmatic conclusions right away, but over time they get worn down and the above mentioned attitudes can set in. Many veteran security managers can tell a war story or two of how they tried to hammer cyber ethics (or whatever you call it) at some point over the years, only to be thwarted by executive leaders or HR personnel to “back off a bit and only send us the worst offenders.” Maybe ethical crackdowns happened after major embarrassing incidents, audits, or news stories, but the company culture took over a few years later and things reverted back.
Yes, most organizations have acceptable use policies, but everyone struggles to keep up with the latest fads and challenges like MySpace, YouTube, dating sites, etc. I believe we are starting to see the repercussions of a growing monster that most government and private sector organizations are not yet addressing – but soon will.
Want examples? How about the Foley scandal? We’ll look at that next time.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.