Corporate Social Responsibility: The Ethics of Managing Information Risk

Abstract

Be the change you wish to see in the world.-Gandhi In the past year or so, we have passed a major inflection point; it has become clear that almost every powered device will compute, communicate, and have an IP address. As technology becomes embedded into the fabric of our lives, exploits that take advantage of technology vulnerabilities may increasingly impact the well-being of almost everyone in society. This makes it particularly important that we apply the right ethical values to shape the way we design, develop, and implement these technologies. The past few years have seen an escalating cycle of risk, with correspondingly greater impacts for businesses and individuals. If that trajectory continues as technology becomes more pervasive, the implications for society could be catastrophic. This means we should all, as security professionals, contemplate our ethical responsibilities not only to the organizations we work for, the customers we serve, and the company's shareholders, but also to society. To put it another way, I believe that information security and privacy are issues of corporate social responsibility. Yet even as it becomes even more important to consistently apply an ethical approach to managing information risk, business demands and other challenges can make it increasingly difficult to do so. Companies' continuous efforts to drive growth and accelerate time to market translate into demand for faster implementation of internal systems and new technology-based products. At the same time, implementing effective security and privacy is becoming more difficult due to a more complex threat landscape and the expanding, fragmented regulatory environment. These factors result in increasing pressure on technology and business professionals to take risky short cuts. In some cases, there may be clear conflicts between business priorities, such as the deadline for launching a new product, and "doing the right thing" in security and privacy terms. There are also many gray areas in which the right course