Do the Right ThingWhy Ethics Must Apply To All Security Professionals
Virtually all professions require that practitioners do things right. But there are some that also require practitioners to do the right thing. Information security is one of those professions.
See Also: You've Got BEC!
In medicine and law, practitioners must not only be licensed to prove that they know what to do, but they also must agree to abide by a uniform, industry-wide code of ethical conduct. The information security industry has many options available for education and certification of a professional's skills and knowledge. These certifications are important, but given the sensitivity of the data they handle and the potential for abuse of data access privileges, I would argue that compliance with an industry-wide code of ethics is at least as essential as functional certification, if not more so.
Security personnel should be required to prove not only that they know how to do things right, but also that they know how to do the right thing.
A code of ethics provides a common baseline for everyone to operate from. The professional understands what he can and can't do, the public understands what the professional will and won't do, and the professional's colleagues know what to expect. It reduces ambiguity in facing ethical dilemmas by serving as a resource to the professional.
At (ISC)2, practitioners are required to subscribe to our Code of Ethics the moment they register to take a certification exam. To keep their credentials, members must adhere to these ethical standards and act in a manner that is consistent with industry expectations.
(ISC)2 certified candidates are required to abide by four mandatory canons in the Code:
- Protect society, the commonwealth, and the infrastructure;
- Act honorably, honestly, justly, responsibly, and legally;
- Provide diligent and competent service to principals;
- Advance and protect the profession.
One of the most essential elements of a code of behavior is that it holds practitioners and professionals accountable for their actions. Those who fail to behave ethically will have their credentials revoked.
For example, (ISC)Â² members who intentionally or knowingly violate any provision of the Code like plagiarism are subject to action by a peer review panel, which may result in the revocation of certification.
Other training and certification organizations have similar ethical requirements - in fact, many have asked why there is no universal code of conduct for all security professionals and organizations. The industry has tried to develop such a code in the past, but the various players have never been able to agree on the semantics. In the end, though, the wording is not as important as the intent. While each certification organization's code of ethics may be phrased slightly differently, they ultimately serve the same noble, critical purpose.
Unfortunately, many security professionals are not accredited by an organization that can hold them accountable for unethical actions. Organizations employing or contracting non-certified security professionals should outline and prescribe their own ethical expectations.
Many companies ask employees and contractors to sign legal documents (such as a non-disclosure agreement) before beginning a job. Any organization that hires a security professional should outline its ethical expectations of that employee, in writing, before giving them access to data and critical infrastructure.
Unlike medicine and law, the information security industry as a whole doesn't mandate certification or licensing for its professionals. While there isn't a cyber security bar exam or medical board, there are highly sophisticated methods to test a prospective employee to ensure that he or she has the necessary knowledge and skills to do the job.
The more prestigious certifications incorporate these methods and are accredited to international standards. But when we are dealing with sensitive information and access to critical infrastructure, I propose that functional testing and experience aren't enough. Security personnel should be required to prove not only that they know how to do things right, but also that they know how to do the right thing. They must demonstrate that they are committed to behaving ethically while protecting precious information assets -- and pledge that they will do so.
Until then, there will continue to be questions about the employee's code of conduct - and questions about the IT security industry.
Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 85,000 members in more than 135 countries.