While ethics and morality are both are human constructs rather than scientific properties, one of the key differences is the rate of change and the percentage of those agreeing with a defined code. At an unnuanced, abstract level, ethics are based on a code of behaviour defined by an external source, morality is an individual’s view of right and wrong.
So what does this have to do with risk management, cyber security or the profession of …?
I was reviewing an article in my reading list and struck by the author’s claim that very few people are members of an IT professional association since that doesn’t reflect my experience. Facts always trump opinion and a quick search will reveal ISC2, ISACA and ASIS membership for 2022 is approximately 350,000 while Statista pegs full time ICT north of 50 million. Therefore, disregarding membership overlap, at less than one percent, John Mitchell’s minority statement seems charitable. Personally that percentage disappoints me as I see that gap as a barrier to the profession of security gaining legitimacy since the existence of professional groups and substantial membership are one of the ways professionalization is judged by society at large. Adherence to codes of practice and ethics are ways professional organizations can distinguish their members from those that merely have similar skills.
Reexamining the CISSP code of ethics I agreed to uphold nearly two decades ago with both the perspective of time and a master’s degree research module I am wondering if the ethics discussion needs to be given more than lip service by security professionals. The transformation of ethical perspectives takes time but occurs none the less and organizations need to realign to changes in societal expectations. Ideally ethical discussions should incorporate the widest collection of stakeholders reasonable, but these days partisan echo chambers seem to be the norm, even within the security community, expect some turbulence.
The pace of business often finds us distracted with deliverables and accountabilities, consequently, guiding principles have a tendency to fade into the background. With full transparency I’ll admit looking up the details of the CISSP code of ethics, fortunately I was well within the lines. That said, I felt compelled to commit my interpretation on paper, if for no other reason than to open dialog on a subject we need to align on within the industry since we are in a position of trust.
Reflecting on the CISSP Code of Ethics
The topline preamble is almost a mission statement or guiding principle on it’s own, adherence should avoid any issues of conscience.
“The safety and welfare of society and the common good, duty to our principles, and to each other…”
At the more prescriptive and externally measurable level the first two canons provide a concise description that seems to cover the majority of scenarios I have encountered in my career.
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
Items three and four seem to be leaning slightly toward areas that will demand a bit more personal interpretation of one’s accountabilities and compliance.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
“Providing diligent and competent service” is most certainly subjective and on any given day our best is going to vary. If we can truthfully say we are meeting or exceeding the standard of a reasonable person is that all we can ask of ourselves and our peers? One way to answer that would be to try a thought experiment like the one below. Be warned there is not enough context for a true correct answer, just an opportunity to reflect. Another tactic is to truly understand your organization and where their point of diminishing returns is, our job as risk professionals is to bring the most important concerns to the right level of accountability and they can rely on our judgement if we are consistently striving to be ethical and diligent.
While doing another task I discover a deficiency, I knowingly leave a security control broken because:
- We had sufficient compensating controls and the implementation team is already at 130% of capacity with no end in sight.
- Although the compensating controls have flaws of their own, the treat community size is small and this is one node in a long attack tree.
- The person accountable for fixing has a strong personality and is very clear they don’t want negative attention from upper management.
As for “advancing and protecting the profession” each of us can contribute regardless of skills, tenure and even personality. Consider the following:
- Anyone who has spoken to a near empty conference room will agree that your very presence in the audience, (physical or virtual), advances the profession by encouraging that presenter or researcher to continue their work.
- Sharing articles and research you stumbled upon with others in your department, peer group, social networks. If it is genuine and relevant to them most people don’t cast you or the content in a negative light
- Share the skills and personality you do have without regard for notoriety or compensation. We are all experts compared to the general population, when a relative or casual acquaintance asks a security or technology question take the time to make sure they understand or send them a link to someone who does explain it well.
Call to Action
Most in the industry will acknowledge, at least privately, we are adopting technology faster than we can secure it and are seldom afforded the time to consider the many ramifications of our choices. Reflecting on the ethics we have agreed to follow and how we are personally aligning to those commitments is something we can all do as an internal process. Externally, I challenge all us to incorporate our ethical lens as we asses and contribute to peer dialog on security matters to collectively advance our profession.