The UK phone-hacking scandal involving Rupert Murdoch's media empire raises the topic of ethics in information security. For John Colley, managing director of (ISC)2 in EMEA, ethics need to be addressed more frequently in the workplace. Organizations can no longer assume information is legitimate or has been gained through ethical means.
Making sure important information is confidential is priority number one, Colley says. "The other side of the coin of course is ... where the data has come from and whether the source of the data is a legitimate source," he says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Information security professionals need to be aware of the issues in the ethics discussion, Colley says.
In an exclusive interview about the privacy and ethical implications of the phone-hacking scandal, Colley discusses:
- The most important messages from this case to the information security profession;
- The role ethics play in information security;
- Implications for information security professionals in all sectors.
Colley has over 15 years experience in information security. He has formerly held posts including Head of Risk Services at Barclays Group; Group Head of Information Security (CISO) at the Royal Bank of Scotland Group; Director of Information Security at Atomic Tangerine; and Head of Information Security at ICL. He is a member of the ISSA UK chapter advisory board, and is chairman of the UK Government Information Assurance Professional Bodies Advisory Group.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself and work please.
JOHN COLLEY: I'm a managing director for (ISC)2 for Europe and Eastern Africa. (ISC)2 is the certification and education body for information security professionals. Before joining (ISC)2, I have been associated with (ISC)2 both as a board director and two years as chairman. Before joining (ISC)2 full-time, I had some similar information security positions in the U.K. I was head of Risk Services at Barclays Group. Before that I was CISO at the Royal Bank of Scotland, and I was also head of the information security of ICL, one of the big British computer manufacturers. All-in-all, although I'm doing the managing director job, I really do consider myself as an information security professional.
Murdoch Scandal, Privacy & EthicsFIELD: Information security professionals worldwide have been reading for the past few weeks about the Murdoch media case. What do you say are the privacy and ethical concerns here for information security professionals?
COLLEY: This case is quite interesting because it's hoarding to the public recognition, something that has actually been going on for quite some considerable time. Not necessarily with newspapers, but it's the whole business of information broken. That started about 15-20 years ago in the oil industry. What would happen is that some criminal-type activity would take place and somebody would get some information and they'd sell that information to another source, who would sell it to another source. Eventually it would be presented legitimately to an organization as industrial information about one of their competitors. They would be buying it from what they thought was a legitimate source. What's different with the Murdoch thing though is that the chain of command as it was is much, much shorter. The journalists appear to have been employing the kind that's actually doing the phone hacking on an individual basis. They can plead really they were getting this from a legitimate source. I suspect they knew exactly what was going on.
If you look at that from an ethical viewpoint, clearly wherever you are getting the information from, you should really question how capable it is. The other example I can give is the issue in the formula one NASCAR racing business about three of four years go, where an engineer left Ferrari and tried to leak information to McLaren. In that particular case, McLaren went to Ferrari and said look this guy is trying to do this. I think he ended up being prosecuted.
The ethical issue here is when you get this sort of information you need to ask where it's coming from and whether it's come from an ethical source.
Ethics in Information SecurityFIELD: This ethical question is sort of new to the information security profession. What do you find to be the most important messages coming from this case to those that work in your profession?
COLLEY: I would probably disagree with you that ethics isn't used in the information security profession because part of that certification process is to ask people if they understand and have knowledge of the ethical issues involved. People who become our members have to undertake our ethics policy and that just doesn't apply to us. It applies to other people who are in the certification business, people who certify auditors and also some of the large professional membership organizations like the ISSA. Really from an information security viewpoint, people should be very much aware of what the ethical issues are, and they're not complicated. It's basically all about doing the right thing, and if you are worried about what's the right thing or not, it's probably not the right thing.
From an information security viewpoint, of course to some extent people are doing these sorts of things outside of the profession. So does it raise ethical problems from that? Probably not, because we hopefully would be acting ethically in the first place.
FIELD: Based on what you've seen and what you've observed, what do you find to be some of the new considerations, not just for media but for other organizations about where and how they obtain information?
COLLEY: As I said earlier, I think they've really got to be very careful, actually understand what the sources are and what actions they should be taking. The newspapers are quite interesting because to some extent they feel that they are operating in the public interest. They may feel that what they're doing is okay with getting this information about certain individuals and not seeing the public interest. I mean clearly, reporting on the Murdoch case, it appears that it's questionable some of the stuff that wasn't public interest. You can't always say that the end satisfies the means, and I think you have to be very careful about what means you.
An example of this is when I was at the Royal Bank of Scotland, when I was heading up the information security organization there. We were subject to phishing attacks, and it was pretty plain to us that we can actually take down these websites if we wanted to because we had the skills to do that. Now that raises quite a nice ethical and legal situation because legally we weren't really entitled to do that because we would be breaking the law. But they were actually attacking us. So it's a quite a fine line. Clearly we could not take our action. But it was an action that was open to us, and that's where you have to start thinking about the ethical and the legal considerations before you do take any particular action.
FIELD: With such public focus now on ethics and legalities, do you see significant changes arising from this case that we are all reading about now?
COLLEY: I think certainly in the U.K. we will see significant change. They're already talking about, for example, the percentage of the leadership any one news group can control. As you are probably aware the Murdoch organization, from the newspaper's viewpoint, doesn't really apply to online media or television shows. It counted some 42 percent of the U.K. leadership, which is a huge number. We're going to see changes there. I think there are going to be changes. You have a thing called the Press Complaints Commission in the U.K. which is a voluntary thing that's run by the newspapers. I think that will become a regulated official party, a voluntary code of practice that they find. I think we'll see quite a few significant changes as a result of this.
The Changing Role of EthicsFIELD: Now you spoke earlier about the role that ethics have played traditionally in information security. Do you see that being more of a significant factor now?
COLLEY: I think people begin to think much more about the ethics of situations. Also, what we're seeing in information security is it's getting much bigger. When I started out about 20 years ago, for example, there were only 23 certified information security professions in the U.K., and there are about 3,200 globally. Now we have maybe 4,000 in the U.K. and over 80,000 globally. So it's become much, much bigger. And unfortunately as things get bigger, more and more people want to get into it, possibly lead by the attraction of higher salaries. Of course not everybody that gets into it perhaps has the same highest percentages as the originators and the people that you'd want. I think that's where the professional organizations play an important part to maintain that standard.
Advice for Infosec ProfessionalsFIELD: When you look across the industry, you see the information security professionals really control so much data now, and with mobility, social media and emerging technologies, there is so much access to it. What do you feel that information security professionals can and should do differently now, starting now, based on the privacy concerns we've discussed today?
COLLEY: First of all, I would say that it's not the information security professionals that have access to all this data. It's generally the IT, the users and the consumer that has access to the data. The role of the information security profession is really to make sure that the data is protected properly. I think we've got two aspects here. One is if you've got information that is confidential, you need to be able to make sure it's protected properly, that only legitimate people have access to it. The other side of the coin of course is the one we've been talking about, and I'm not quite sure where the information security profession should come into this or not, but where the data has come from and whether the source of the data is a legitimate source that the organization should be holding. I'm not saying that's a decision the information security professional should make, but perhaps a question they should be asking of the management of their organization.