Altruism in Information Security? (Part 1 of 3)

Originally published by Tentacle.

Written by Matt Combs, Tentacle.

Altruism and Information Security; two terms not commonly used together - the first term not often used to describe the foundational philosophy of the latter. Altruism is ideological; a desired state of the ultimate do-gooder who hopes to sacrifice all selfish motivations for the benefit of others. Information Security, on the other hand, is a concept/practice/industry that is likely perceived as totally unrelated to altruism (at least on the surface). Defined in a most stripped down form, Information Security is a plan put in place to protect sensitive information. Take a deeper look at the two, however, and I would argue you can find correlations. Use the correlations to develop a mentality of which we all approach our execution of Information Security programs, and perhaps we all could be more successful in ensuring the safety of the data we aim to protect.

Within the ideology of altruism and the practice of Information Security, I find common threads - aspirations to act unselfishly, to anticipate need, and to put the welfare (security) of others (data) before all else. Throughout my career, on my personal path towards understanding and building respect for a “true” Information Security Program, I’ve always embraced, what I consider to be, an altruistic view of the approach to achieving information security. What I was naïve to in traveling my path, however, was my assumption that everyone embraced these altruistic concepts within Information Security.

So, here lies the opportunity to put pen to paper to share my thoughts on how I came to believe altruism is relevant in the world of Information Security, how I think altruism really can (and should) be applied to Information Security, to call out what I find to be major barriers to achieving altruistic InfoSec, and to share my view on how we all could get a bit closer to infosec altruism through program execution. It’s a hefty topic to dive into so I’ll be sharing my thoughts as a 3-part series and hope you’ll share your thoughts on the topic throughout.

Part 1: Establishing Trust by Design

Perhaps due to a significant period of my career with such deep roots in Corporate Social Responsibility, the concept of altruism still lingers in my focus on the InfoSec space today. I founded the company YourCause (a cloud-based employee giving, volunteering, and ESG tool) in 2008, pitched our services to over 1,000 of the Fortune 5,000, did business with more than 500 of them, and then sold the company to Blackbaud (NASD: BLKD) in 2019. During the process of building a successful business focused on social good, I was lucky enough to also get another type of education. There are those that go to MIT and Carnegie Mellon to acquire their knowledge of cyber security, while others have been responsible for enterprise technology for decades and have picked up their skills by immersion, constantly learning and adapting to the changing environment. And then, there are those that follow more of a ‘forced’ path - a ‘school of hard knocks’; growing their knowledge while building companies, by surviving (and sometimes failing miserably) the security gauntlets synonymous with working with large enterprises, and by (blindly) navigating the vast oceans of credentialing, certification, and auditing. Thanks to many of those formally trained and extensively experienced individuals, and to the various challenges I had to overcome in the development of YourCause’s InfoSec program, I would akin my cyber security education to other graduates of the InfoSec School of Hard Knocks. My route gave me a very real, present, and genuine perspective as to how Information Security is commonly developed, executed upon, assessed, and operationalized within today’s organizations.

As I mentioned in introducing this topic, altruism and information security aren’t typically subjects discussed together, though, as I’ve made my way over many years learning the ins and outs of information security, I’ve found many of the same components that form the idea of altruism, to exist within the ideal state of Information Security. In taking time to understand the core philosophy and objective of Information Security, how this drives the development of a plan, how the plan’s standards, procedures, and policies are embedded within the day-to-day operation, and how everything comes together to protect the sensitive information within an organization - I can’t help but find parallels to the altruism pillars of sacrifice and selflessness, proactivity, and concern for others above all else. Perhaps a romanticized correlation but let me provide a few examples of altruistic characteristics found within the design of Information Security programs.

Altruistic By Design

If you claim to have a “true” Information Security Program of any merit, then by design, the program’s objective is to fully secure the organization - or at least do everything within its power to do so. This objective would suggest organizations are committed to continuously making sacrifices and to putting security above all other business priorities. This would also suggest the tools and resources designed to lay the foundation and to provide on-going guidance promote these philosophies as well. I happen to find altruism woven into the fabric of the industry frameworks developed to guide organizations, in the ways organizations are measured for compliance to these frameworks, and in the proactive approach critical to any comprehensive information security program.

1. Frameworks define the ideal state

When you break down the textbook definition of a formal Information Security Program, coupled with how these programs are executed by some of the most secure organizations of today, you uncover the role of industry accepted frameworks. NIST, CIS, PCI, GDPR, ISO, or whichever security framework is determined to best map to one’s organization, the concept is pretty straight forward: A proper information security program is able to demonstrate the execution of controls outlined within a “framework” deemed to be most applicable to your industry, sector, or space.

It is the security framework that serves as the foundation for which you are able to build your Information Security story upon. It is the framework that directionally steers your organization (and its operations) towards optimal security, and therefore, industry acceptance. The controls within these frameworks tend to be detailed, can sometimes be objective, and have been developed over the years to include best practices and stress-tested recommendations. While providing direction, the ‘altruism’ of security frameworks lies in how they also illustrate the ideal state. Adherence isn’t easy as security frameworks expect constant sacrifice, truly achievable only by making the ‘hard’ choice and doing the ‘extra’ work. Frameworks do not consider budget and resources, do not balance other business priorities, but rather, specify the expectation to ‘selflessly promote the welfare’ of the data handled (and therefore, the owners of said data). Each organization must adapt the framework accordingly, determine the best method for implementing and aligning to the controls, but I believe altruistic intent already exists at the core.

2. An Information Security Program is designed to promote continued growth

A proper Information Security Program can be likened to a living and breathing organism. It’s continuously evolving, never ‘good enough’, and constantly tasked with staying ahead of today’s bad actors. This InfoSec organism is continually seeking to re-attest to the controls in place, aspiring to implement additional (new) controls throughout the enterprise, it never rests easy; always thinking, ‘have we thought of everything?” Compliance to the framework(s) and to the overall plan in place is only ‘achieved’ through continuous effort and dedication to improvement - never done or satisfied. Like the concept of altruism, dedication to the welfare of others (in this sense, ‘others’ are data, customer organizations, individual consumers, etc.) is never fully complete. ‘Dedication’ is on-going.

3. Proactive execution to anticipate need

Core to altruistic behavior is proactively anticipating need. Devotion to the welfare of others does not begin after some event; devotion is considering that welfare all the time. While Information Security in its infancy was likely in response to cyber attack, it’s evolved into so much more. Information Security requires devotion before, during, and after cyber attack. Information Security seeks to identify any cyber threat and to proactively plan to defend against it, to minimize damage and to recover should there be a breach.

Proactive execution of the controls within an industry framework will yield solid protection for any organization as this approach demonstrates commitment and discipline in anticipating the need for the program. This proactive governance over an infosec plan, including the consistent update of the associated policies, procedures, standards, diagrams, artifacts, etc. will result in a complete program. But, let that altruistic pillar of anticipating need slip, and an organization runs the risk of gaps in protection. Govern a program with this pillar at the core, and have confidence in a security posture worthy of showcasing to clients, vendors, partners, stakeholders, and anyone else seeking to better understand the company’s investment in information security.

So there you have the correlations I have found between altruism and Information Security. I happen to believe that identifying these correlations can get us a step closer to collectively adopting a mindset that will help us all achieve a higher level of security. There are still barriers to overcome - I’ll present those in the second part to this series - but nothing’s impossible if we come together in the field of Information Security and start thinking altruistically.

About the Author

Matt Combs is seeking to actually earn the title of "entrepreneur," now working on his fourth venture. Having successfully started and sold his last venture (YourCause to Blackbaud, Inc.), he is now committed to solving some of the fundamental challenges previously faced related to developing a proper information security program.