The Spy Game
In our August 2001 issue, we referred to a poll by TR Cutler Inc. that said 55 percent of manufacturing companies with fewer than 1,000 employees spied on rivals using technology, and of those, 75 percent reported industrial spying for competitive analysis, including using the Web and posing as a potential customer to glean pricing and other data. How far is too far?
ROBBINS: Whether you're snooping on your employees or whether you're snooping on your competitors, how far you will go is a conversation about the culture of that company. And if your company is sick, it's going to go too far.
NISSENBAUM: What's difficult about this privacy problem is that there isn't yet a lot of agreement about what is right and what is wrong. We grew up with a norm that came out of an environment where certain physical monitoring was possible, and now we have technology that enables us to do a lot more. And what many of us said is, "Well, where do we draw the line? Is this right or wrong?" What often happens is that people may abhor certain behaviors out in the world, but then they would say in a business, "Oh, well, yes, it's fine to monitor your employees because, after all, you own the business, you own the property, you own the computers," and so forth. But what if you put video surveillance cameras in the bathroom, is that all right? Suddenly, some people will step back and say, "Well, maybe not, maybe there is a limit." So part of what we have to do is figure out that yes, technology can enable us to do all these things, but what's right? And then we need to figure out how to get people to do the right thing.
BOLTON: One of the things I've witnessed over the last nine years of doing IT leadership training is that there are some people who, after they finish nine months in the program, turn around and leave their companies. It's because, for the first time, they understood what their own personal values are, and they realize they don't mesh with the company they work for. And so I'm taken by this subject of ethics. I think it comes down to two people working together, whether it's you or a vendor, say, over a question over lousy software. Are the two parties trustworthy?
You take the word trust and you have different levels of that. I may trust you with loaning you a buck, but I may not loan you my car, and I probably won't give you a blank check. And then you can get into questions such as, is it all right to take company property home? Well, if it's a paper clip or a piece of paper, it may be okay. Well, can I walk off with a PC? Maybe not. And there are questions of what I should do on the job. Should I try to tap into a rival's wireless network if I have the opportunity to do so? Ethics is a subject of gray areas, and of choices.
Is there an ethical standard here?
BOLTON: I don't think there is one. I think it is a variant of one's individual personal values, and those values are set in growing up and the environment we live in. If you look at the personal values in the U.S., they're all over the map, but if you take some kind of a generalization of what they might be in the U.S. and then go to some other countries, the values are quite different. Simple things like bribery are quite acceptable in certain countries, but not here.
TREUHAFT: The entire topic of ethics, to me, is very removed from whether you're a CIO or not. There have been noted examples of people in companies who are stealing each other's customers, pulling information from each other, so on and so forth, but it goes down to the basics. If that's something you feel comfortable as a person doing, then it doesn't matter how many rules and regulations and policies and enforcement and security items you put in place in the companyif a person feels comfortable doing that, they're going to do that.
I strongly believe that the conversation and topic of ethics goes beyond IT, and it is a core, intrinsic characteristic that people have or don't have. And I believe that there's a lot of education that has to be in this area overall. Just based on the fact that I speak my mind and don't, you know, get pushed around on things that I believe are right, I have seen things change.
NISSENBAUM: Perhaps there are good people out there and evil people who weren't trained properly and so on. But I still want to come back to the notion that we're very lucky when we deal with people who are going to be ethical because that's the way they've been raised. Still, though, there are two things to think about. One is there are hard ethical problems, and even if you have the best intentions in the world, you may wind up doing the wrong thing. And there we need training, we need discussions like this one to continue because I think with the privacy cases, it's a hard new problem that society is facing, and we don't actually know the answers yet.
There are very few ethical theories that demand that people sacrifice themselves, to perform what are known as acts of supererogation. You've got ethical duties, but few people expect you to lose your life in order to save someone else. Heroes do that, but it's not everyone's ethical duty to do that. So the culture of the organization makes a difference because if the culture is bad, then it requires the individual to be a hero simply to do the right thing. You can't expect everybody to be a whistle-blower. If you have culture in an organization that requires someone to be a whistle-blower just to do the right thing, then your organization is sick.
The problem, I think, is that we live in a business culture that says if you're ethical, you're a chump, that you have to go for your own self-interest at all costs. And if being ethical is in your own self-interest, yeah, sure, go for it. Do it as a sales pitch. It's a good marketing tool. But if it doesn't improve your lot as a business, then being ethical is stupid.
TREUHAFT: I agree. Those decisions have to be made at a business level across the company, like what kind of privacy issues you want to have and enforce within your company. It's not necessarily on the shoulders of the CIO to say one way or the other. It's the CIO's role to enforce that policy and to perhaps bring up the options of what they can put on the table and then to communicate that down throughout the hierarchy.
McCRACKEN: I echo what you're saying. None of us would say that we are not ethical people, however you define it. But I think that this whole notion gets into the expectation of the user who is actually going to rely on whatever information is sent out eventually by an organization. And is it ethically created and distributed, frankly, from the investor's standpoint?
I'm hearing some disagreements. Some of you think ethics is a purely personal matter; others say a company's leadership needs to create an ethical culture that would, in turn guide and inform one's ethical behavior on the job. Some say it's the CIO's job to speak up; others say it's the job of the top brass. Who's right?
BOLTON: I think ethics needs to be the responsibility of the CIO, as technology changes and can impact the way we do business or the way we make decisions or the way we deal with other people. I think it is the CIO's responsibility to educate others on the impact of a particular technology. If you go back and look at before we even had the Internet, if you go back and look at central processing versus distributed processing and what would it mean, why all of a sudden there were a lot of people into the business who weren't there before
TREUHAFT: I agree with you 100 percent that the CIO and the people in IT have to participate. But I just keep hearing in this conversation that you have to make tough decisions and that you might find yourself in a situation where you might make the wrong ethical move even if you're a very straight person. And I have to tell you, we've all had to make very hard decisions in our careers and we've all been in situations where everything wasn't 100 percent black and white. But if you're naturally a person who's going to agree to do the right thing and be honest about it, then you tend to move in the right direction. That's what I have found.
BOLTON: Look at a company that operates under unethical standards, and I'd be willing to bet they've never had a discussion of what their values as an organization are. And I think that is the responsibility of the leadership of those organizations, including the CIO, considering that the CIO is one of the leadersand not just because he or she is the CIO. Companies that are ethical, I would bet, have a firm understanding from the top through most of the organization of what the organizational values of that enterprise are. They are very explicit, they understand them, they spend a lot of time talking about them, they educate people, especially new employees, and it gets reinforced by all of the C'sCEOs, CFOs, CIOs, all of them.
SEKAR: I think that technology is not going to generate or drive ethical behavior, and that CIOs can only help a company monitor and review actions to see if they're ethical or not.