The trust trade: The business case for an ethical CISO

By Joan Pepin, CISO and VP of Operations, Auth0

Credit: ID 93329029 © Maryvalery |

Another quarter, another jump in the number of data breaches in Australia. The latest Notifiable Data Breaches (NDB) scheme report by the OAIC recorded a 14% increase in breaches from the previous quarter, which included a single breach where more than 10 million records were compromised globally. Just last month, 50,000 Australian university students were hacked via their profiles on Get - a popular payments app for events and merchandise. And by August this year, more than 190,000 PayID accounts had been hacked across the country’s major financial institutions.

Even since new regulations like GDPR and NDB have come into play, the vicious cycle seems to have no end: companies sell data, hackers find holes, information is compromised, and someone scrambles to apologise - usually a bit too late. Despite the NDB implementing fines for non-reporting, stakeholders still aren’t properly conveying the necessary information when a breach occurs, and consumers are growing increasingly frustrated with what is, quite frankly, an unethical status quo.

Perhaps the root of these issues is no longer technological or policy-driven (though rules are important). We’ve got a problem that is foundational, pervasive, and worst of all, potentially unsolvable without a tremendous shift in attitude – and someone to lead the cause.

As data becomes the currency of the century, ethics is often set aside in favour of making more money. But the security of consumer data and identities is no longer just a boardroom issue. Someone needs to acknowledge that we are not doing enough to protect personal data in the digital age, and the CISO is first on call.

Welcome to your new job description

If we’re going to halt the current rate of security incidents in Australia, unprecedented and urgent security measures need to be put in place – all of which requiring highly skilled, strategic, and forward-thinking professionals who can not only implement, but take ownership of tough decisions with the consumer at heart.

In many companies, third-party security organisations have often been the only drivers for this holistic approach to data management, and the ethics of how data is handled. But CISOs are more and more frequently relied upon for these ethical decisions and influencing what security and operational processes are put into place.

We are no longer just the technologist with good communications skills or the manager with security expertise. We have become the guardians of data and, in some cases, a critical gatekeeper for corporate ethics, requiring the ability to have influence, vision, and the skills to drive that vision to completion.

Here are some ways that the CISO, and other members of the C-suite, can start influencing their organisation’s attitude to security today:

  1. Take baby steps: Start with your privacy policy. There’s an undeniable number of these so-called ‘protective measures’ in Australia that isn’t really protecting consumers at all. Is it legible? Does it make sense for consumers who may not be able to read through all the jargon? And is it ethically sound? Build a foundation of security for your company that actually does what it says it will - keeps your company secure.
  2. Lean on key stakeholders: In any large enterprise, the number of people within the company who can actually impact how responsibly the company behaves is small. But CISOs have a responsibility to start connecting with these key stakeholders to drive and communicate ethical values across marketing, finance, and general counsel. Don’t be afraid to socialise and start talking about right and wrong.
  3. Communicate the true ROI of better security: Ask your fellow leaders: If the worst were to happen, would we be able to unequivocally stand behind our brand and guarantee that we took all the steps possible to protect user data, follow best practices, and act in good faith?

Consumers today are demanding more than the minimum, and meeting their ethical standards will only increase your standing in the market. Plus, if you talk about money, the people who control the money are more inclined to listen and act.

As technology advances and data infiltrates every inch of our business operations, we’re trading in trust. But in order to continue to grow this economy of transparency and loyalty, and encourage others to participate, we need to ensure that our companies are acting in the peoples’ best interests – both for now and for the future.

As a CISO or security leader with influence in this regard, the question is not, “can you help raise the bar,” but rather – when will you?

Joan Pepin is CISO and VP of Operations at Auth0. With more than 20 years of experience, she is a recognised industry expert on cybersecurity, information systems, security leadership, and operations management.




Show Comments