3 Ways Your Chief Information and Chief Security Officers Can Be Ethics Heroes

A company’s ability to effectively use technology to monitor, share and manage information contributes to the success of its ethics and compliance program.

Posted by Joe Gerard in Corporate Security, Ethics & Compliance, Human Resources on August 31st, 2010

A company’s ability to effectively use technology to monitor, share and manage information contributes to the success of its ethics and compliance program. Some laws and corporate policies contain compliance requirements that can only be executed by a company’s IT department. In my opinion, a company’s Chief Information Officer (CIO) and/or Chief Security Officer (CSO) is equally as important as the Chief Ethics and Compliance Officer (CECO) when it comes to maintaining workplace ethics and compliance. Since CIOs are responsible for implementing IT systems and controlling the flow of information into and out of a company, CIOs help protect their company from data breaches and other technical risks. As ethics and compliance grows as an IT concern, an increasing number of companies have reported looking for CIOs, CSOs and other IT staff that not only possess the required technical skills, but also have personal values and morals that are similar to those of the company.

Here are 3 different ways your company’s CIO and CSO can become ethics heroes:

1. Access Controls

In many companies, access controls are based on an employee’s role in the organization or the department they work in. This practice keeps information on a need to know basis, limiting the risks and opportunities for information to fall into the wrong hands. Access controls can be adjusted during times of need, for example, if an employee requires information for a special project they are working on, they can ask permission to be granted temporary access to the information. The ComputerWorld article “Ethics: IT Should Help the Company Steer Clear of Corporate Scandals,” by Mary K. Pratt, she discusses the importance of access controls at Texas Health Resources Inc.:

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

“Consider the challenge of handling patients’ medical records. Even though the federal Health Insurance Portability and Accountability Act mandates that agencies keep those records private, caregivers still need to access them- when appropriate. So the organization’s electronic health records system gives doctors and nurses who are caring directly for patients quick access when they use the right authentication, Alverson says. But additional authentication is required to get records for patients who aren’t under the provider’s immediate care. The system records who gets access to what, allowing officials to audit and review cases to ensure there’s no inappropriate access.”

2. Tone from the CSO

The primary responsibility of the CSO is to implement systems in the workplace that provide all employees with the ability to work together to maintain security. I came across a document published by Cisco Systems, titled “Security at Centre Stage,” discussing the important contributions CSOs make to the workplace. The document states that, similar to the “tone at the top,” CSOs must act as leaders to make sure the tone at the top is heard by the IT department. From there, the IT department can develop policies and systems related to security and ethics that will be communicated to the entire organization.

At Cisco Systems, they have introduced the Corporate Security Programs Organization (CSPO) into the workplace to:

  • Provide training and awareness to employees- Informing employees of the various security risks at each level and training them to mitigate such risks.
  • Constant interaction- The CSPO believes strongly in communication and constant reminders to help employees change their ways and adopt practices for maintaining security.
  • Award and recognize- The CSPO has an annual awards ceremony, rewarding individuals who have gone above and beyond in ensuring security.

3. Build Compliance Rules into Company Systems

Building compliance rules, company policies and industry regulations into business systems holds employees and companies accountable for their actions. This is similar to what we do when building i-Sight for each of our unique clients, as companies today must proactively investigate allegations of fraud, theft or abuse to prevent significant financial liability and risk to the organization. As legislation surrounding ethics and compliance continues to increase, the IT department must take advantage of technology and develop systems that are capable of monitoring and tracking these issues. The Cisco Systems document addresses the practice of building laws and regulations into corporate information systems:

“Then, security and privacy legislation gained momentum. What once were merely mandates for government agencies quickly became strict guidelines for the public sector—the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB), to name but a few. So the CSO took on more of an oversight role. ‘Any organization with state or federal regulations around protection schemes absolutely must have a security officer,’ says Felix Santos, CISO for Performant Financial, based in Livermore, Calif. Unfortunately, the CSO often became a mere compliance tactician or, worse, was served up as a ‘sacrificial lamb’ in the event of a security breach.”


Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website