|
|
|
|
|
|
by elliekelly
2602 days ago
|
|
|
> The company acts as a third party with very different (and often directly conflicting with the end user) aims that creates a much harder ethical situation for a developer to navigate and creates confusion as to who has the responsibility to sound the alarm. This is very similar to structure I operated under as a corporate attorney at a bank but also as the Chief Information Security Officer. I owed a duty to the bank, as my "client," and also to the bank's clients, whose information I was charged with protecting. You are indeed correct that it's a difficult and uncomfortable situation to manage. I always tried to be a "zealous advocate" for the bank in all matters except those related to privacy and I'll be the first to admit that much of my zealous advocacy was indeed a net-negative for society. I did ultimately leave because of a disagreement over how to respond to (or in their case, chose to ignore) an ongoing breach of customer accounts. All of that being said, I don't think it's an impossible ask with a bit of help from the government. I also served as the AML Officer and in that capacity I had the absolute final say on all matters related to money laundering thanks to the PATRIOT Act. The only way to override my decision would be a board vote. I never had any "disagreements" about how to handle an AML situation because my decisions were final while my decisions as CISO were merely a recommendation that management could (and did) ignore in order to save time, money, and bad PR. |
|
|
Curious to find out more about this, and how you felt about it while you were doing it, if you're willing to talk about it.