Picture an easy Sunday morning. It’s sunny and quiet with only birds chirping outside. You make yourself a cup of coffee and sit on the sofa to catch-up on what’s happening in the world. You open your favourite news site and here it is – first story of the day in large font.
Breaking news: massive data breach! It’s your company in the headline.
This is the modern reality, cyber attacks are becoming increasingly common and it’s no longer a matter of if but when.
How do you manage this PR nightmare? What do you tell the media? Can you regain the trust of your customers and partners?
These are not the questions you want to be thinking about in the middle of a crisis. The real story begins way before that. It starts with responsible data management practices and securing people’s information.
Responsible security leaders champion the ethical use of data to protect individual rights and privacy. They have a positive impact on society by ensuring lawfulness, fairness and transparency when it comes to processing people’s data.
Imagine you discovered a large volume of unsecured data in your organisation. There may be no reason to store this data, but the company could be holding on to it ‘just in case’ and it’s too hard and expensive to secure it properly.
Some executives may suggest that everyone in the industry is doing this, and there may even be a chance they could monetise it in the future.
It’s the role of a security leader to challenge businesses to consider the long term perspective, not only the immediate revenue targets. What would be the impact on the reputation and trust if customers found out?
Think of personal data like toxic waste – it can be handled, but with extreme care.
To tackle ethical dilemmas like this effectively, it’s helpful to position yourself as an agent of continuous improvement and suggest a workable alternative. For example you could help develop a process to securely destroy customer data after it’s no longer needed.
It’s natural to present rational arguments to influence business executives and get buy-in to adopt this approach. You can talk about timelines and budgets but you’re unlikely to get very far by appealing to logic alone.
In addition, try encouraging people to look up for the higher purpose; speak to their hearts as well as their minds. Help them see the organisation’s wider purpose – it’s not just to make money, it’s to do right by our customers. Because not securing their information appropriately can lead to data breaches.
You can remind them that the effects on people whose personal data was stolen can be devastating: their identity can be stolen, they can become victims of fraud and lose their money, their mental health can be affected. And it’s our responsibility to protect them.
Implementing a company wide data protection strategy that is firmly grounded in ethics and values can result in a significant reduction in potential harm to our customers in the event of a data breach.
What small steps can you take to start practicing responsible leadership in cyber security? Here are some suggestions to get you started.
1. Discuss business ethics and values in your team meetings. Go beyond acknowledging the existence of the Code of Conduct and instead stimulate a discussion about what your team thought was an important part of it and why.
2. Ask “should we?” in addition to “can we?”, particularly when making decisions around projects related to customer data. Speak up, ask difficult questions in product planning sessions and challenge business stakeholders to consider the impact on data security and privacy.
3. Explicitly consider ethics in individual and team goal setting. Foster a culture where success is measured not just by the results but also by the ethicality of the way they are obtained.