The need for continually creating and updating the security techniques and technologies involved in an enterprise system is the ethical responsibility of the IT professional.
In order to successfully protect the information and intellectual property assets of a firm, an IT professional also needs to make a personal commitment to stay as current as possible on existing and future technologies (Pemberton, 1998). This commitment needs to be supported by the leaders of an IT organization within a firm, complete with budgets created to pay for ongoing certification and training. The continual pursuit of professional competence is an ethical requirement of any IT professional and any leader of an IT function must continually focus on how to create a culture that embraces learning and change (Gotterbarn, 1999). From an ethical standards standpoint, lifetime learning is not an option, it's a requirements. As knowledge is the precursor to behavior, IT professionals need to choose which specific areas of ongoing, lifetime education they will excel in over time. The need for security experience, specifically in the areas of intellectual property, is particularly important. Concentrating on these areas assures job security as the skill sets of information technology professionals who understand security are in high demand (Stapleton, 2007).
Another ethical standard that IT professionals need to continually strive to stay on top of are the existing laws and covenants that govern the use of key corporate assets and define the methods by which intellectual property can be accessed. Of particular importance are the processes and procedures for safeguarding corporate information assets and their access internally and externally from the organization (Stapleton, 2007). IT professionals need to understand the auditable, verifiable steps required to check in and check out information for use internally. Most important, the IT Professional must also understand how to assess the risks and potential compromises of allowing external access through authentication, single sign-on and the use of non-sanctioned IT systems on the corporate network (Gotterbarn, Miller, 2010). All of these aspects of IT security need to be a core set of the IT professionals' skills and expertise if they are to protect intellectual property and ensure their organizations can stay and grow profitable in future years.
IT Leadership Ethical Standards
Leaders within any organization have an immediate and very significant impact on their cultures (Butcher, 2009). When an IT leader makes a decision on an ethical issue, the interpretation of their judgment is seen as the new norm or baseline of ethical behavior internally. IT leader's credibility, trust and ability to get work done with their teams are directly related to their authenticity and transparency in making decisions over a period of time (Cary, Wen, Mahatanankoon, 2003). The relative consistency and stability of any IT leader will be reflected in how much influence they have outside their organization and how efficiently they can accomplish complex, interrelated tasks with other departments. In short, an IT leader's ability to function successfully in their role is directly related to the level of credibility and trust they have created. Ethical judgments and decision making further solidify and strengthen the ability of an IT leader to get work done (Grupe, Garcia-Jay, Kuechler, 2002). With so many benefits to an IT leader of being ethical, it is critically important that they concentrate on a core set of ethical standards in their professional lives. IT leaders also need to take a dimensional view of ethics as their impact on organization is so significant and lasting.
The first dimension from an IT leadership standpoint is the need to fully articulate and explain responsibilities to the departments or divisions they manage (Kallman, 1992). They must also define a culture of continual learning and focus on how best to equip their departments and divisions with the necessary skill set to manage increasingly higher levels of security, authentication, intrusion detection and prevention of phishing attacks for example. The IT leader needs to also define the ethical and moral boundaries and expectations for each position in their organization. Even more important than the specific areas of functional responsibility is the need to clearly define the ethical and moral expectations and show how through annual reviews performance will be measured, is critical to creating a strong culture (Stapleton, 2007).
An IT leader also needs to be very clear about the ethical and unethical use of IT resources, and provide guidance as to how best to manage situations that call for judgment of their use (Grupe, Garcia-Jay, Kuechler, 2002). These decisions of IT resource use need to be made from the context of protecting the organization's assets while also being agile and flexible enough to provide support for new business initiatives as well.
IT leaders need to be cognizant of how powerful their roles are in defining the future ethical and moral expectations are within an enterprise. The need to protect and safeguard information systems and intellectual property needs to be balanced against the evolving needs of their organizations, many times requiring IT leaders to choose between supporting a business initiative or not based on potential risk (Gotterbarn, Miller, 2010). As enterprise-class systems become more role-based in their use of analytics, applications, databases and legacy data, IT leaders have difficult decisions to make on how much risk their organizations should take in supporting new strategies (Cary, Wen, Mahatanankoon, 2003). The CIO and his immediate direct reports are all evaluated from a performance standpoint on how well they minimize risk and security threats to the enterprise systems they are responsible for. From an ethical and moral standpoint, the CIO needs to ensure the intellectual property and information assets of the organization are protected yet must also provide a level of agility in their use so business objectives can be attained (Dillon, 2010). This is the paradox of any IT leader. The need for securing information assets and intellectual property is critical to preserving the competitive uniqueness and differentiated value of the organization, yet that data must also be made available to support ongoing initiatives as well. The ethical dilemmas becoming greater the more responsibility an IT leader gains over their career. For the CIO, the ethical and moral dilemmas are often very complex as the data and intellectual property they control is extremely valuable (Miller, 2009). This is why the CIO must always strive for authenticity, transparency and a high moral and ethical level of conduct as their decisions immediately affect the core intellectual property, information assets and ultimately the careers of those in his department and potentially across the entire company (Butcher, 2009). The CIO is also increasingly being held accountable for changing IT cultures and making them more focused on business results, not just providing the IT dial tone. The ethics of CIOs increasingly need to focus on intermediating these two extremes of their roles to ensure consistency of ethical decision making is achieved (Cary, Wen, Mahatanankoon, 2003).
Organizational Strategies for Managing Unethical Employee Behavior and Safeguarding Data
The greatest threat companies consistently face are their own employees, suppliers and contractors accessing and using applications, data and network-based resources over unsecured networks or for unauthorized purposes. Of all security threats, this is the most significant in that it can drastically reduce the ability to track and stop unauthorized access over time. While organizational policies are often created to specifically deal with this issue, only a small minority of companies rely on multi-tier based and role-based authentication technologies to ensure compliance (Dillon, 2010).
Organizational strategies designed to protect confidential data and assure intellectual property is effectively used need to rely on role-based application definition and development. The latest generation of IT systems is specifically being designed to allow for greater levels of control over information assets, intellectual property and the accessibility of confidential data (Cronan, Leonard, Kreie, 2005). The role of the CIO needs to be one of defining rights by individual and group, also defining the best possible approach to creating shared ownership of confidential data. Using this type of security strategy, only those individuals with a specific role and job that requires them to use confidential data will have access to it.
Role-based access to confidential data including specifics of intellectual property also center on the auditability of these technologies in the latest enterprise systems as well (Dillon, 2010). Being able to audit which person in an organization gains access to the data, when, how long they use it, if they change it or not, and whether they attempt to duplicate it, and how they use it to do their jobs can all be tracked. This type of security is critically important with any confidential data, even more so with data pertaining to intellectual property.
Where companies invite problems into their security strategies is in not defining the overall strategies for security at the enterprise level to begin with. This often creates a "free for all" mentality when it comes to accessing and using IT's resources in addition to relying on stop-gap measures to control the flood of outgoing…