Career Insights with Upasana Gupta

Information Security ... and Ethics

Information Security ... and Ethics

Prime example: The case of former State of Pennsylvania Chief Information Security Officer Robert Maley, who was recently fired after his appearance at RSA Conference 2010. His misdeed: He spoke without authorization about a recent Pennsylvania security incident.

Maley's only intention was to educate fellow professionals about adopting best practices to safeguard against such attacks. But he had been discouraged from speaking about this specific incident; like most security leaders, he was expected to take the safe approach and discuss mere concepts, not actual incidents.

What is wrong with being open? Why are such important discussions considered taboo and unethical? 

After his dismissal, Maley appeared at the CSO Perspectives 2010 event, where he was to talk about application security. Yet, he went beyond the topic and started discussing what people really wanted to hear: the circumstances around his firing. Many, no doubt, question his ethics for airing private matters publicly.

But on both occasions, Maley acted in a most ethical manner. His job was to serve the citizens of Pennsylvania, and he did the right thing by talking publicly about the issues that, in his judgment, were worth discussing with the information security community.

Maley's firing definitely was not justified. He never put the state's data at risk when he talked about the security incident. He only wanted to be open and help educate fellow professionals from his experiences dealing with security threats and vulnerabilities.

What is wrong with being open? Why are such important discussions considered taboo and unethical? When are we going to shed this "hush, hush" attitude and open ourselves to our community, so we can bring these issues to everyone's attention for shared learning - maybe come up with unified solutions to these problems?

It's not a matter of ethics, frankly, but education. It's time for senior leaders to realize that the only way we can overcome our greatest challenges is to talk openly about breaches and risks. We need to share our obstacles and solutions; need to find new answers to old questions.

But to still a voice such as Maley's, and to punish a leader who's looking to encourage more public/private sector information sharing, what's ethical about that?

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.