Truth, and the Cybersecurity Professional

In c. 33 A.D., the Roman governor of Judea, Pontius Pilate, is famously known for asking, “What is truth?”

Painting by Nikolai Ge (1831-1894) painted in 1890

This is a question that many ask today, and in the realm of cybersecurity, there are answers. But before I wade into this topic, it’s first appropriate for me to cite a dictionary definition of the word truth:

1: the real facts about something : the things that are true

2: the quality or state of being true

3: a statement or idea that is true or accepted as true

(source: https://www.merriam-webster.com/dictionary/truth)

In business, government, education, and military contexts, and when it comes to the information systems that we in cybersecurity are called to protect, the truth is the complete body of information in electronic and other forms, including business records, system and device configuration, documentation, and software.

Software, and the configuration of systems and devices, serve to record and retell the truth (e.g., business transactions, correspondence) and make that information available at a later time or in another form.

It is said that not all truth should be spoken aloud. In the context of information systems, this means that some truths (business records) require protection, as they are considered personal or sensitive. On the business side, organizations have intellectual property of various types, including patents, trademarks, trade secrets, financial records, human resource records, and other operational records. Organizations depend upon the protection and integrity of this information, as much of its existence enables organizations to continue operations in support of their mission and purpose. Much of the responsibility for this protection falls to cybersecurity professionals. However, it is also commonly accepted that all personnel have a part to play, primarily in relying on their professional judgment to ensure that information is handled properly and protected from attackers.

There is considerable information in electronic form about natural persons, and more is being created continuously. Examples include the personal financial records of individuals and other information about persons, including their health, sexual, religious, and political affiliations and preferences. The universal concept of privacy concerns the protection and proper use of such information. The protection part of privacy falls to cybersecurity professionals (and the rest of the workforce, as mentioned earlier) to ensure that truths about individuals are kept confidential. The proper use part of privacy concerns formally established statements (more truths, or in this case, assertions) describing set formal and appropriate uses of personal information.

Cybersecurity professionals’ mission is the protection of the truths as described above.

Professional associations in the cybersecurity industry have codes of ethics and conduct that guide professional behavior. The organization (ISC)² Code of Ethics includes these statements:

  • Tell the truth
  • Take care to be truthful

The ISACA Code of Professional Ethics includes these statements:

  • Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character…
  • Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority.

The InfraGard Code of Ethics includes these statements:

  • Serve in the interests of InfraGard and the general public in a diligent, loyal, and honest manner, and will not knowingly be a party to any illegal or improper activities.
  • Maintain confidentiality, and prevent the use for competitive advantage at the expense of other members, of information obtained in the course of my involvement with InfraGard…

These and other codes of ethics require cybersecurity and privacy professionals to tell the truth, and to protect the truth from unnecessary disclosure and improper use.

Absolute truth does exist. For the cybersecurity professional, we are expected to conduct ourselves with integrity (identifying and telling the truth) and seek to protect business and personal information (truths about organizations and natural persons). That is our mission.

References:

(ISC)² Code of Ethics: https://www.isc2.org/ethics/

ISACA Code of Ethics: https://www.isaca.org/credentialing/code-of-professional-ethics

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.