When doing their work, cybersecurity professionals often come across situations that put their skills to the test. And sometimes those tests have far less to do with technology or business than with questions of ethics.
When cyber professionals discover vulnerabilities while performing penetration tests or some other security-related work, is it OK to disclose those vulnerabilities publicly? What happens if system owners are made aware of issues but decide to ignore them? And at which point, while testing systems containing private information, do cyber professionals reach a line they should not cross?
These questions were part of a lively panel discussion today at the (ISC)2 Security Congress 2019, taking place in Orlando this week. The session, “Ethics Dilemmas Information Security Professionals Face,” was moderated by Biljana Cerin, CISSP, CEO of Ostendo Consulting and Chair of the (ISC)2 Ethics Commission. Joining her were committee members Wim Remes, CISSP, Founder and Principal Consultant of NRJ Security; William H. Murray, CISSP, retired security professional; and William Campbell, President of Predictable Solutions.
Much of the discussion centered on the ethical boundaries of penetration testing. There have been cases in which security researchers were arrested for doing their work. To avoid such a fate, Remes stressed the importance of clarity upfront.
“Make sure there is a clear contract,” Remes said. “The contract is where everything starts and and stops.”
Sometimes, during penetration tests, researchers may find vulnerabilities in third-party systems, which raises questions on how to proceed. If the client, who is paying the security consultant, decides not to notify the third party, it can create an ethical dilemma for the consultant.
In such situations, it may be tempting to act unilaterally. But Murray strongly advised against doing so, pointing out that is how security professionals end up in trouble. It is always best to seek the counsel of others, including client’s superiors and professional peers to make the best possible informed decision, he argued.
“Consulting with peers as a security professional is something you should definitely consider,” Remes added. “I don’t think I’ve ever made good decisions in isolation.”
Campbell noted that one of the challenges cyber professionals face is that they function as advisors. Security professionals can make recommendations and spell out the consequences of pursuing one path or another, but it is up to managers or clients to make decisions.
Whatever the outcome of a penetration test or some other cybersecurity-focused pursuit, Murray advised documenting the work and decisions made. If management, in weighing cyber risks, decides to ignore the cybersecurity professional’s recommendations, ask them to sign a statement to that effect and file it with other relevant documentation.
In getting business leaders to make sound risk management decisions, Campbell stressed the importance of communicating to them in ways they understand. Cybersecurity professionals have often been guilty of being too technical and not understanding what makes executives tick.
Company leaders typically have sales backgrounds, where maximizing revenue is the priority, or come from finance, where costs take precedence. It is important to understand that and communicate in that context when talking about security investments, he said.
Building on Campbell’s point, Murray said: “General managers are not good at making expressions of risk tolerance. That’s not what they do, so we have to express the risk tolerance in such a way that general management says, ‘Oh yea, that’s what I intend.’”
Remes put it in even simpler terms: “In my opinion, if you are not expressing risk in financial terms, then you are not talking about risk at all.”
But what should a CISO or other member of the cybersecurity team do when their advice falls on deaf ears? When nothing else works, the panelists agreed that you should walk away. “If management is not doing the right things, it’s your obligation to forgo that paycheck and leave,” Remes said.