Welcome to the SecAware blog

I spy with my beady eye ...

23 Oct 2019

NBlog Oct 23 - transparency and oversight

Along with increasing legal and regulatory compliance pressures on organizations to implement appropriate privacy controls, popular awareness of the issues appears to be on the up with commercial implications for organizations.

Global IT megacorps such as Facebook, Microsoft, Apple and Google are particularly exposed to public criticism simply because they are household names ... but that's not to say they are powerless, far from it.  Contrast Apple's handling of the FBI iPhone security incident against Facebook's handling of the Cambridge Analytica scandal, plus other privacy incidents.

All the megacorps have to take their own cybersecurity seriously simply because they are such massive targets facing business-critical information risks: it's literally an existential issue. They are also forced to comply with various laws and regulations, for the same reasons as any other organization - to avoid potentially huge punitive fines and other substantial costs arising from noncompliance incidents. In addition, they make strategic and commercial choices on privacy and related matters. Their internal policies and corporate cultures influence the extent to which they satisfy broader ethical obligations towards customers, employees and others.

I see an interesting distinction opening up between reality and perception. Apple has been quite vocal and forthright in public about its concerns for customer privacy, whereas at the other end of the sale Facebook comes across negatively and consequently faces a hammering from the media (both traditional journalism and social media). Google and Microsoft appear (to me) somewhat ambiguous, dithering around the middle of the scale: at times they claim to be highly concerned about security and privacy, yet their actions sometimes indicate otherwise. Given their marketing prowess with huge budgets and global reach, I have the distinct feeling we're all being manipulated on a grand scale, so who knows what's really going on in terms of governance and ethical direction from their boardrooms? 

The same concern applies to our governments, with the added complication of their being able to duck behind 'official secrets'. Whistleblowers such as Assange, Snowden and Manning are just the few with the guts and good fortune to beat the machinery of government to the draw. In regimes such as China, Russia, North Korea and Turkmenistan (plus many others), governmental oppression is plenty strong enough to prove liberty and life-threatening for anyone with the affront to challenge authority. 

So what, if anything, can/should be done about this? Personally, being a reformed/former auditor, I'm a big fan of transparency and accountability, although at the same time I accept that there are genuine reasons for all types and sizes of organizations to retain some measure of privacy about certain aspects of their internal affairs. The audit approach revolves around internal assessment by competent, independent investigators, a strong form of oversight. It is trust-based, in that auditors are granted privileged access to private internal matters, in much the same way that we trust our doctors with intensely private medically-related information ... because it's in our interests to do so. That self-interest is the key, for me, turning public unease through disquiet into pressure to open up, hopefully without the situation degenerating towards anarchy.

In the case of commercial organizations, their profit motive represents a vulnerability: if sufficient customers revolt, lightening their wallets elsewhere, companies appearing deficient in privacy and security may be forced to take more care, or at least open up and prove that they are doing things right.

Investigative journalism is another approach, although independence and bias is a concern given pressures from media moguls, not least to sell more papers, plus various constraints imposed by the authorities and of course the organizations being challenged. As to social media (such as NBlog!), fake news is not just a game played by the big players, raising questions about the competence and integrity of social media pundits (like me!). Is this blog piece fair and reasonable, unbiased and insightful, or am I pushing an agenda and skewing the topic to suit some ulterior purpose? You decide, dear reader. I hope you'll come back for more but if not, it's goodbye from me.

No comments:

Post a Comment