Roles of the Chief Information Security Officer (CISO) includes monitoring, analyzing, and forecasting threats to information assets, advising on risk management and on contracts related to data security, consulting on incident management, and developing and managing policies related to information security. But again, CISOs also promote a culture of shared responsibility to safeguard personal and institutional data. Today’s CISOs should also know on the legal and ethical hurdles with reference to online users security and privacy. A CISO should know how much security is required in an environment where data and research results is openly shared to fuel the business requirements.
For instance, encryption can protect data or it can be used to shield research results as they are extracted through insider activity. It doesn’t take an ethical wizard to see the problems if we do not protect data in transit or at rest. So where do you focus the technology and training on data protection? The point is that we are living in interesting times and have much to do to ensure we are not only good network citizens, but that we do all within our capabilities to keep the personal data in the right place with the right protections without impeding our ability to share data as necessary.
Guided by laws of the state and the ethical standards of business, the challenge for the CISOs is how to approach data privacy from a policy and process perspective. For this, CISOs need to know which vector to focus on when dealing with privacy issues, using process or tools to secure user’s data.
Steps to Minimize Data Breaches
There are various data security and privacy concerns with social media organizations where online users willingly give away personal information. Currently, Facebook which has over two billion users globally, has faced backlash on the data scandal issue, prompting Zuckerberg to issue an apology for the ‘major breach of trust’, and promising to take steps to protect the privacy of user’s data.
The following simple practices will minimize the chances of data breach by social media organizations.
Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personal identifiable information.
Involving the individual in the process of using personal identifiable information and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of personal information.
Specifying the Purpose
Online users should be informed about the actual purpose of their data is used by the organization.
Relevant Data Collection
Relevant data pertaining to online users that is directly involved with the specified purpose should be collected.
In matters pertaining to online user’s privacy and security, a CISO is more than just another corporate cost cutter, technologist or policy developer. In terms of moral code of conduct and professional ethics, CISOs should guard the corporate image and accept the role of evangelist. CISOs preaching the righteous gospel of security and privacy fuels the average user’s ability to feel safe in the cyber world created for their convenience. An online privacy environment should be created by the CISOs and everyone in the eco system should have the same trust factor. For this process, CISOs must be prepared to increase the number of regular meetings used to implement the righteous awareness pertaining to data security and privacy practices.
As CISOs, we all strive to pursue a deeper understanding of the threats to data in a relentless search for mitigating controls and vulnerability remediation. From an ethical perspective, we should always be on watch to ensure we are good stewards of our data, information systems, and resources.
To sum it all up moral code of conduct and professional ethics is a choice and organizations should promote confidence and trust with the online user’s personal information that is collected, stored and analyzed.