The Ethics of IT

By Lisa Ferri

The ripple effects of the Enron scandal are hard to miss. Public outcry over corporate corruption, and legislative reforms such as the Sarbanes-Oxley Act, could be Enron's largest legacies. The "Enron effect" has been keenly felt by executives across the country, not least among CIOs. As Gartner Inc. analyst Diane Morello notes, CIOs in the post-Enron era are "juggling eggs": There are many "eggs" in the air and dropping any one of them is simply not an option.

"A lot of CIOs feel like they're the fall guys," says fellow Gartner analyst Joe Bace. Sarbanes-Oxley may spell out the rules for life post-Enron, but CIOs are largely left holding the ethical bag. "What precipitated Sarbanes-Oxley may have occurred in the executive suite," notes Bace. "But it's still up to the CIO to embrace and champion the new IT and corporate ethics."

Ethics can make an enterprise difference

IT ethics aren't just necessary, they're also desirable keys to success in company-wide initiatives and business continuity. A strong IT ethics policy can help a CIO navigate through sticky situations such as:

• Justifying actions that defy the established chain of command In the book IT Ethics Handbook, authors Stephen Northcutt and Cynthia Madden note that ethics will be called upon to determine the best course of action in the case of a systems audit. For example, the CEO may ask the CIO that business processes be addressed from the point of view of data flow, rather than from the standpoint of the technical infrastructure, which a standard audit requires.
  
  
• Addressing employee behavior that may hurt the network Without an ethics policy, employees may bring bad data into the network, or simply overwhelm the infrastructure with non-mission-critical files, such as MP3s and other leisure downloads. An ethics policy will help remediation easier and clearer.
  
  
• Blocking partner companies whose resources may include harmful files In today's world of diversified conglomerates, some partners may also be adversaries. A defined ethics policy can help to prevent political landmines in working with these companies.

Getting ethics right

Meta Group analyst Maria Schafer says too many CIOs falter out of the gate, making what she calls rookie mistakes, such as:

• CIOs assume there is an ethics policy in place, when in fact there is none CIOs sometimes assume there is an established company-wide protocol on an issue -- such as when to give out sensitive information to a third party -- when in fact, it has not been tackled. Such assumptions put employees at risk of unknowingly compromising data.
  
  
• There is a policy but employees are either unaware of it or don't adhere to it The CIO and other executives have failed to create what Schafer calls a "culture of awareness" where employees understand exactly what they need to do to comply with the company's IT ethics policy.

Where to start

Gartner's Morello suggests that companies without an ethics policy in place should begin by conducting an ethics audit. An ethics audit involves defining ethical conduct, and identifying areas of potential malfeasance and malpractice. Steps to follow during this process may include:

1. Clearly state what constitutes a "conflict of interest" within the business and among third-party vendors.
   
   
2. Examine all agreements with third-party vendors, ensuring that they are aware of your ethics policies. Also, be sure that employees who interact with these third parties are dealing with sensitive information correctly.
   
   
3. Review back-office accounting systems. As Bace points out, Sarbanes-Oxley demands new accounting standards and transparency. Creating this "evidence of ethical practices" is largely the CIO's domain.
   
   
4. Go to the source: Ask employees in the trenches for their input on where the vulnerabilities are -- and how to protect against them.

Managing the mindset, above all

But the most critical ethics battle, according to Bace, has to do with mindset. The best way to ensure that ethics are enforced is to create a culture of zero tolerance. "If you don't want your mom to read about it on the front of The New York Times, don't do it. That's the mental outlook you need all your employees to have," explains Bace. Set that tone, he says, and employees will be loath to misappropriate or mishandle information.

Of course, a CIO can't be expected to accomplish cultural shifts of this magnitude alone. As Bace puts it: "Here's the real issue: People do what they feel they can get away with -- and that's something that trickles down from the very top of the organization." The good news is that CIOs can make IT ethics an enterprise-wide initiative that has boardroom buy-in and C-level support through some simple strategies:

• The Three Strike Rule  The first time an employee is caught mishandling sensitive information, that employee gets a warning. On the second offense, the employee gets a stern reprimand. And on the third offense, they're shown the door.
  
  
• The Whistleblower Environment  Make those who witness others mishandling information equally culpable: If you witness a co-worker mishandling information and don't report it, your neck is on the line as well. This policy creates a culture of employees unwilling to tolerate misbehaving co-workers.

"Investors lost almost $90 billion on the Enron scandal alone," says Bace, "No one can afford to tolerate that kind of behavior -- on any level -- again."

Spreading the responsibility

What's the reward for CIOs who succeed in laying down explicit ethical guidelines and then enforcing them? Freedom. Once CIOs spend the time developing a solid ethics policy, they can be freed from constantly reminding employees of the rules, clarifying the rules, and then tweaking them. One possible solution involves the use of automated governance tools that monitor the activity of employees on the network, helping to ensure that ethics as outlined are followed. That way, CIOs can stop playing traffic cop, and begin spreading responsibility for the information environment throughout the enterprise.

Lisa Ferri is a freelance writer living in New York.