CHAPTER 1
One Code to Rule Them All?

"The most important human endeavor is the striving for morality in our actions. Our inner balance and even our very existence depend on it. Only morality in our actions can give beauty and dignity to life."

- Albert Einstein

"The time is always right to do what is right."

- Dr. Martin Luther King Jr.

Cybercrime and cybersecurity should be among the foremost concerns of every industry, service, and every civic interest. Why? Cyber technology effectively runs the modern world from banking to healthcare, retail to sanitation, and governance to modern warfare. Cybersecurity practitioners wield great power, are under intense pressure, work in a culture that is changing at warp speed, and often have profound responsibilities. The fast-paced environment of our industry can be a breeding ground for mistakes, misused authority, and even intentionally abused power. The unprecedented speed of innovation in the 21st century has left us without a clear system of ethics for this great economic and security threat of our age. We would be remiss if we didn't begin by sharing some statistics with you reflecting how cybersecurity and cybercrime impact the world as we write this book. While the numbers may read like an archeological time capsule by the time you read them, it is our way of pulling the "fire alarm" in the midst of an unfolding global crisis.

• According to research, an estimated 53.35 million U.S. citizens were affected by cybercrime just in the first half of 2022.1
• Ransomware attacks in 2022 cost global businesses an estimated $20 billion. As cybercriminals are becoming rapidly more advanced and targeting businesses that can pay higher ransom fees, experts believe that $20 billion will balloon to more than $30 billion just in the next year.2
• The average cost to an individual organization that has suffered a data breach in 2022 was $4.35 million.3
• This cyber arms race by the world's bad actors is also leading to increased security spending. According to a recent report, cybersecurity spending is expected to reach $172 billion by the close of 2022.

Every time we open our browser or news app to check the latest research, the proverbial fire presents its rapid spread in the news cycle of the day. Today's headline points out that "Crypto-hackers steal $3 Billion This Year," while another proclaims, "2025 will be the biggest year for Digital Heists!" Cyberattackers, through ransomware and other insidious schemes, have caused massive damage to banks, hospitals, schools, critical infrastructures, and more. And it seems to be only getting worse.

In Case You Are Wondering Why You Should Care

For those of you on the periphery of our industry or simply new to the job, it is important to know what you are risking if you choose to ignore this cybersecurity crisis (no matter how big or small your organization is). Even today, there are too many leaders who still don't fully understand the scope of impact that cyberattacks can have in our world. Here are just a few of the effects that cyberattacks can inflict upon you and your business:

• You may suffer damage to your computer systems. When malicious computer attackers target your business, they can damage or destroy data on those systems, and the cost to repair or rebuild them can be extremely high.
• Attackers can steal sensitive data from your business such as consumer information or even trade secrets, which can have a dramatic impact on your company's reputation and financial standing.
• A cyberattack can interrupt the services that your business provides and cause you to lose money, customers, and time.
• You can face legal consequences from a cyberattack. You and your business can be held accountable for damages to consumers.
• Being hit by a cyberattack can ruin your brand and your reputation, making it harder to attract and keep customers. It can negatively impact your business long after the immediate damages of an attack have been corrected.
• Finally, there is always cybercrime and identify theft's impact on real people. If cybercriminals steal consumer information from your systems, those customers will be put at risk, affecting your consumer retention, impacting stakeholder trust, and resulting in legal issues. Even more concerning are cyberattacks that break into healthcare systems, transportation, or other critical infrastructures, perhaps causing severe damage to life and limb.

Cybersecurity is no longer an issue that you can ignore. We would argue that your success as a business, a professional, and a leader could be tied to how seriously you address this problem. Experts are currently predicting that cybercrime will eclipse the gross domestic product (GDP) of the world's largest economies in the near future. While it may sound fantastical, we are here to tell you it is a stark and unnerving reality.

It's as if we are trying to put out this worldwide four-alarm fire with a water gun. Every day in the cybersecurity industry, we are fighting for the resources, staffing, education, and ethical framework to keep attackers at bay. While the global workforce in our industry stands at around 4.7 million workers, it is predicted that there will be an astounding 3.4 million cybersecurity worker shortage worldwide within a few years. Currently, we need 600,000 positions filled in the United States alone. As we struggle to keep up with the demand to fill positions, we also must be vigilant to find good candidates of reputable character who are committed to serving the greater good. If we fill open positions with people who lack the ethical framework and character to put it into real-world practice, we'll only make the problem worse-much worse.

This is a problem that touches the day-to-day operations of nearly every public and private entity. Yes, by the time you read these words, the numbers will be outdated, and unfortunately, the challenges will be way bigger. There is simply no evidence that these trends will reverse course in the near future. Technology will continue to dominate the business landscape and become ever more a part of all of life. We are not going to go backward from our online, on-demand, virtual world any time soon. And of course, we are not likely going to become less technologically advanced or cyber-integrated. Attackers are not going to give up. Cybercrime is too lucrative an industry.

Is there a way to stop or at least slow down the trend? Is there any hope?

Do We Need Ethics in Cybersecurity?

Yes. An ethical standard in cybersecurity is fundamental to its future. If you work in cybersecurity, your day-to-day job can feel like fighting fires. Your day can go from 0 to 100 with one email or intrusion alert, and you will often find yourself in high-stress situations that have serious consequences on your company and its customers or stakeholders. One of the realities of working in fast-paced, pressure-filled environments is the ever-present temptation to cut corners or take shortcuts. There is tremendous pressure on both practitioners and leadership in our line of work to make the right decisions because those choices can have far-reaching impacts on numerous individuals. We can better illustrate a few of the common ethical challenges with a story about two professionals who have been recently affected by cybercrime.

Sarah is the CEO of a midsize medical device engineering company that has been hit recently with a ransomware attack. It isn't long before her small security team identifies the entry point through a third-party IT service provider that is also used by several of her fiercest competitors. As her cybersecurity team rolls into response and investigation, the questions mount: Is the attacker truly connected to the service company, or is it just set up to appear that way? Does the CEO have a responsibility to alert her competitors of the potential breach? Do competitors have an advantage over Sarah during the downtime caused by the attack? Her firm designs medical devices for several healthcare organizations. Are there legal obligations to alert those entities of the attack? Do they have to alert their parent company, who could be negatively affected by this event if it went public? When the attackers reach out with a ransom, should they quietly pay to make the entire situation go away? Is that even possible? How do they balance an obligation to protect the public and their obligation to defend the interests of their engineering firm? Is there an ethical framework by which all of these complicated questions could be examined and answered properly?

Jim is a security operations center (SOC) analyst at the very company servicing all of those medical device engineering firms with IT support. He was recently asked to do some lucrative after-hours security consulting at a local company. While that freelance work technically conflicted with the noncompete clause he signed in his contract with his primary employer, Jim accepted it because he really needs the money. And the chief information security officer (CISO) of his organization didn't seem to mind that he was doing this side gig, although she never actually approved of it. Jim has recently learned that his company was breached and that his CISO has chosen not to share information about the breach with her superiors, shareholders,...