Ethics and Integrity in Security

If you follow my website, you’ll have seen that I haven’t posted in quite some time. Not because I haven’t wanted to, but because I have never quite managed to find the time with everything else I’ve been working on. One of those things is getting a company up and running. I’m proud to be the managing director of Willsley Ltd which is a really fancy way of saying that I have a side gig alongside my day job as the Information Security Manager at CAF.

In previous articles I’ve talked about my personal philosophy of “Always assume the worst, you’ll rarely be disappointed.” I never said anything about not being angry though… And the cause of my anger today: Salespeople. So I wanted to give my thoughts on ethics and integrity and what it means for me, and advice is you have any decision making influence in security.

By decision making influence, I don’t mean that you’re necessarily in charge of anything, just that your opinion is respected when it comes to security matters. If you’re a CISO with a multi-million pound budget, then you clearly have decision making influence, but so does the junior security professional that is asked to evaluate a product, or recommend to friends and family which antivirus to buy. With that influence comes responsibility.

So what made me angry? I made a public offer to conduct a number of free security assessments on behalf of Willsley to evaluate the viability of my new Security Baseline Assessment product. The deal being that an organisation gets a free assessment in return for providing some feedback. Enter the salesman who suggested that he would like to take me up on the offer of evaluating my product, but that it would be “only fair” if he could attempt to sell to me in my CAF role. No, just no!

The law

The first thing that came to mind is that under the Bribery Act 2010, is if I agreed to such a thing, I could potentially be breaking the law. On the basis that I’m not a lawyer and this is not legal advice, my understanding is thus: If I was to enter into a discussion with this salesman about selling to my employer in return for benefitting my own company; and moreso if I was then recommend this vendor to my employer. I could have committed an offence under the bribery act.

The penalty for being found guilty of bribery? Up to 10 years imprisonment and unlimited fines.

Your profession

As a security professional, you’ll likely be a member of one or more professional bodies. Personally, I am a member of the International Information System Security Certification Consortium, or (ISC)². As such, I have to follow their code of ethics, one of the canons of which is to “Act honorably, honestly, justly, responsibly, and legally.”

Representing a vendor to an employer in order to gain an advantage goes against everything the ethics policy expects. As such, anybody violating their professional bodies’ code of ethics could be stripped of their professional qualifications.

Your reputation

This is arguably the most important to anybody in the field. A criminal conviction for bribery would require a police complaint, and professional sanctions would require someone to report to the professional body. Your reputation on the other hand – it is my view of our industry that despite the size, it is reasonably close knit, and people talk!

As a security professional, you are in a highly privileged position, you’ll likely have more access to sensitive data than equally senior peers in other IT or business roles, and you’ll certainly have more influence over the organisation’s decision making than other IT or business roles. This privilege comes from trust, and if you aren’t acting with integrity, how can you be trusted?

As a hiring manager, if I was to come across the CV of someone I felt I couldn’t trust, then there is no way I would be willing to risk my reputation on offering them a job.

So what does this all mean?

It should be fairly obvious, but I’ll say it anyway for the benefit of the upcoming professionals of the industry:

Don’t divide your loyalties!

For me, this means that No, I will not have a personal business discussion with you where that discussion is contingent on you being able to pitch to my employer.

No, I will not represent your sales pitches in return for any kind of hospitality.

No, I will never recommend your products or services to my employers in return for any personal benefit.

and NO, I will never sell your products and services to my customers purely because I personally benefit from it. If I can’t trust in what you’re selling, I’m not attaching my reputation to it.

Finally, if you’re a salesperson that’s explicitly directed to read this, I’m afraid it’s a hard no on whatever you’re proposing.


Leave a Comment

Your email address will not be published. Required fields are marked *