Ethics and a Responsibility for Secure Software
Saw this post today about programmers discussing the unethical and illegal things they’ve been asked to do and it really made me think about all the battles I had as a young cyber security practitioner. Fortunately I was very fortunate in that I had lots of support and worked for an organization who respected security at the onset of my career in cyber security more than 20 years ago. This helped me when I experienced the other side of the coin where executives wanted things like breaches covered up and threaten you with lawsuits if you refuse to obey or speak out….. And yes that happened to me once. The choices that I made then and throughout my career were and still are shaped by those experiences and my ethics.
Five years ago Marc Andreessen penned his famous “Why Software Is Eating the World” essay in The Wall Street Journal. Today software is feasting on the world; its footprint is in our businesses, our smart phones, our physical activities, leisure and even sleep. This footprint is only going to grow exponentially with the Internet of Things (IoT) as are the opportunities for those with less principles or ethics to take advantage especially in terms of unethical coding and the misuse of the treasure troves of data that many companies are custodians of today.
Companies who are data custodians but do not have the required cyber security for their customer’s data, either through negligence and incompetence, are doing a disservice to their customers. However, despite the rash of data hacking in recent years, it is not all negative. More and more executives appear to have turned the corner and are now willing to listen and learn about how to better protect their companies and their customer’s data. Moreover, I strongly believe that relatively new legislation such as PIPEDA in Canada will motivate many companies to not just think about meeting a requirement but how to better secure their organizations. Believe it or not being cyber secure is, and will be, a differentiator in many markets as those who are unwilling to invest in better cyber security will do so to the detriment of their customers, shareholders and themselves. Going forward executives will be in the cross hairs of data breaches and will have to own up to any oversight on their part in terms of cyber security and the protection of their customer’s data.
That said my advice to all employees is to protect yourselves. Ensure that requests to perform unethical activities are recorded with data, time, and people — record, who, why and what and remember to keep your journal encrypted. If you are asked to do something that is completely illegal contact a lawyer and report it to the relevant authorities. If and when you leave the organization for these reasons make sure you report it during your exit interview. You ethical duty is to make them aware of it and that you have recorded all aspects of the activity. It is then up to them to deal with it as it is their responsibility to ensure secure software.