Politics and the Practice of Information Security
Given the time of the year in the US, you might be tempted to think that I am writing about politics—Republicans versus Democrats, conservatives versus liberals, and the like. But what I am writing about instead is on-the-job politics—the maneuvering, posturing, and too frequently undermining that almost invariably produces a zero sum outcome. Whether we like it or not, politics are a reality in most work environments; those who pay little or no attention to them or play them wrong generally reap negative consequences ranging from being the “odd man out” to receiving the full fury of a powerful, antagonistic political alliance.
The practice of information security is by no means exempt from politics. Given that information security affects so many functions within organizations, information security staff too often find themselves the target of negative politics. Whether or not we like it, therefore, being able to walk political tight ropes is a fundamental survival skill for information security professionals. At a minimum, learning to avoid politically-explosive words and phrases in communicating with others is a necessity. Politics also permeate information security professional organizations, most of which, lamentably, tend to be dominated at least in part by groups of power hungry individuals intent on grabbing as much of the power as they can.
Politics in information security are inevitable, but to what degree is being a political animal ethical, especially when the politics are zero sum politics? Consider the first principle of the (ISC)2 Code of Ethics—“In the course of my professional activities, I shall conduct myself in accordance with the highest standards of moral, ethical and legal behavior.” In my mind, ethical behavior stands out here as being most relevant to on-the-job politics. So much of the politics I have witnessed over my lengthy career are intended to create a negative perception of an individual or group, something that at least in my mind is not ethical. Additionally, what if one’s boss wants to eliminate a group or function such as network security that performs extremely valuable services for an organization simply because it is at political odds with the boss? Is it ethical for an information security professional to support the boss in this endeavor? What if a senior-level manager deliberately violates an important provision of an organization’s information security policy? Should an information security professional ignore what has happened for political reasons, or should this person flag the violation as a potential issue?
In our jobs we deal with a plethora of political issues. What I fear is that we too often fail to recognize and evaluate the ethics associated with the political stands that we take and the politically-motivated actions in which we engage. We need to expand our horizons by giving our political stances and actions greater scrutiny.