[BreachExchange] The trust trade: The business case for an ethical CISO

[Destry Winant]

https://www.cso.com.au/article/667721/trust-trade-business-case-an-ethical-ciso/

Another quarter, another jump in the number of data breaches in
Australia. The latest Notifiable Data Breaches (NDB) scheme report by
the OAIC recorded a 14% increase in breaches from the previous
quarter, which included a single breach where more than 10 million
records were compromised globally. Just last month, 50,000 Australian
university students were hacked via their profiles on Get - a popular
payments app for events and merchandise. And by August this year, more
than 190,000 PayID accounts had been hacked across the country’s major
financial institutions.

Even since new regulations like GDPR and NDB have come into play, the
vicious cycle seems to have no end: companies sell data, hackers find
holes, information is compromised, and someone scrambles to apologise
- usually a bit too late. Despite the NDB implementing fines for
non-reporting, stakeholders still aren’t properly conveying the
necessary information when a breach occurs, and consumers are growing
increasingly frustrated with what is, quite frankly, an unethical
status quo.

Perhaps the root of these issues is no longer technological or
policy-driven (though rules are important). We’ve got a problem that
is foundational, pervasive, and worst of all, potentially unsolvable
without a tremendous shift in attitude – and someone to lead the
cause.

As data becomes the currency of the century, ethics is often set aside
in favour of making more money. But the security of consumer data and
identities is no longer just a boardroom issue. Someone needs to
acknowledge that we are not doing enough to protect personal data in
the digital age, and the CISO is first on call.

Welcome to your new job description

If we’re going to halt the current rate of security incidents in
Australia, unprecedented and urgent security measures need to be put
in place – all of which requiring highly skilled, strategic, and
forward-thinking professionals who can not only implement, but take
ownership of tough decisions with the consumer at heart.

In many companies, third-party security organisations have often been
the only drivers for this holistic approach to data management, and
the ethics of how data is handled. But CISOs are more and more
frequently relied upon for these ethical decisions and influencing
what security and operational processes are put into place.

We are no longer just the technologist with good communications skills
or the manager with security expertise. We have become the guardians
of data and, in some cases, a critical gatekeeper for corporate
ethics, requiring the ability to have influence, vision, and the
skills to drive that vision to completion.

Here are some ways that the CISO, and other members of the C-suite,
can start influencing their organisation’s attitude to security today:

1. Take baby steps: Start with your privacy policy. There’s an
undeniable number of these so-called ‘protective measures’ in
Australia that isn’t really protecting consumers at all. Is it
legible? Does it make sense for consumers who may not be able to read
through all the jargon? And is it ethically sound? 2. Build a
foundation of security for your company that actually does what it
says it will - keeps your company secure.
3. Lean on key stakeholders: In any large enterprise, the number of
people within the company who can actually impact how responsibly the
company behaves is small. But CISOs have a responsibility to start
connecting with these key stakeholders to drive and communicate
ethical values across marketing, finance, and general counsel. Don’t
be afraid to socialise and start talking about right and wrong.
4. Communicate the true ROI of better security: Ask your fellow
leaders: If the worst were to happen, would we be able to
unequivocally stand behind our brand and guarantee that we took all
the steps possible to protect user data, follow best practices, and
act in good faith?

Consumers today are demanding more than the minimum, and meeting their
ethical standards will only increase your standing in the market.
Plus, if you talk about money, the people who control the money are
more inclined to listen and act.

As technology advances and data infiltrates every inch of our business
operations, we’re trading in trust. But in order to continue to grow
this economy of transparency and loyalty, and encourage others to
participate, we need to ensure that our companies are acting in the
peoples’ best interests – both for now and for the future.

As a CISO or security leader with influence in this regard, the
question is not, “can you help raise the bar,” but rather – when will
you?