Security Experts:

CISSP Code of Ethics: With Power Comes Obligation and Responsibility

Were You Aware that a Code of Ethics is a Condition of the CISSP Certification?

The first two canons state the following:

• Protect society, the commonwealth, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.

Note how “Protect Society” is cited first. Although depending on the context and circumstance, any of these may also fit under that umbrella. It does not state your employer, your manager, or your bottom line. It states:

Society

CISSP Code of EthicsThe second canon uses the words “honorably” and “honestly.” How many CISSP’s do you think worked for DigiNotar? Did the Code of Ethics help in that particular case? Or how does this Code of Ethics relate to, for example, a Non-Disclosure agreement? Taken to its ultimate conclusion, the question really boils down to what do you value higher? A steady job and a regular income - or CISSP accreditation? Because there will be many roles in various companies and organizations where it will be incredibly difficult to maintain those canons without being liberal with their interpretation or looking away once or twice.

Lest I come across as sniping at the Ethical Code that ISC2 expects of their certified members, let me confess that I am in fact a great supporter of the sentiment. In an ideal world, such a code of ethics would not just be conditional for CISSP’s, but anyone working in an I.T. Security capacity. There is too little focus on ethics, and it is not taken seriously enough, neither by some of the certificate holders, or by those that employ them. Business is a cynical endeavor by its very nature, the competitiveness and reward for failure and success being a primary generator for this cynicism, and many business professionals may smirk at what may seem to them as naivety. Good. Then at least I have your attention. You are exactly who I’d like to address.

We, as Information Security Professionals hold power in our hands that few people can understand, and correspondingly, an accompanying obligation and responsibility to use that power ethically and in the best interest of society. I do not mean the type of power that can take down the global economy or cause digital Armageddon (at least not by myself – I think. I have never attempted it). But it is enough to shave a few points off that oh so important share price, or to cause a loss of compliance and possibly a hefty fine.

To add a little reality check and perspective to my argument, I will claim that as a Penetration Tester I have the tools and skills in my possession to wreak havoc against most organizations. As a security professional with more than a decade worth of industry experience, I have also worked with and seen the inside of many Fortune 500, FTSE, DAX and similarly important entities’ security systems and policies. I am given access and am privy to the holiest of the holies of information security. I know more about their (in)security than many of their employees.

The truth is that the only difference between me (and anyone else with a similar skillset or knowledge) and a cybercrook is whom I will use my skills for – or against. That difference is demarcated by two things:

1. Money

2. Morals and ethics

The problem with the first item, money, is that that can come from any source. Money is Money. Once you take the ethics out of the equation, it does not matter where that money comes from or how it is obtained. The hand that feeds may easily get bitten, if it looks more appetizing than what is being fed. And even if someone pays your salary now, they may not in the future. Are they then fair game?

So essentially, the only really important aspect is ethics.

Some will argue that morals and ethics are not necessary when legal and contractual obligations as well as the threat of criminal prosecution can achieve a similar effect. But that belies the fact that few cybercrimes are ever satisfactorily resolved, providing they are reported in the first place, nor does it take into account that if you lack morals and ethics, a stint in the slammer will hardly scare you off in the first place.

Morals and ethics are deemed so important in information security, that one of the most recognized and accepted certifications makes it a necessary condition to achieve it. The natural result of this should be that any business or organization that makes it impossible to adhere to this, should not be able to find a security professional, or at the very least anyone with a CISSP, to work for them. That is also an important function of a Code of Ethics that people only scantly realize. It is meant to make anyone not following a similar standard of ethics uncompetitive by starving them of skills and knowhow. Yet I have a funny, admittedly subjective, feeling that that this probably not the case in reality.

Wouldn’t you rather that someone with such knowledge and capabilities follows a strict code of conduct? That there is a differentiation between good and bad behavior not solely based on money?

As a business function, and information security is without a doubt exactly that, security can only function in a framework of ethics and morals. That, in fact, is its intended sphere of influence and operations. Whether we are preventing abuse through disgruntled employees, monitoring Pedophiles on the internet, or trying to prevent cybercriminals stealing from our employers, we are dealing with the realm of social, (un)ethical and (im)moral behavior. How can we do that job without possessing a moral and ethical compass ourselves?

Further, does a society want (and need) a highly specialized and privileged class with the ability to shut down pretty much the entire system, that has no other motivation than money? If power got into the wrong hands for example, whose side would they be on if push ever came to shove?

Lastly, and most importantly, you cannot expect any ethical or moral considerations from a third party, if you do not extend those to yourself. “Lead by example” has become good business advice because it works. If you create an environment where it is considered OK to throw these concerns overboard whenever a situation arises that may profit from that, eventually you will be on the receiving end, and most likely from the products of that environment. There can be no security budget great enough to deal with the consequences. Even some ethical people feel absolved from their morals if they believe that their victim “deserves it”, as misguided as they well may be.

We provide services and solutions that in some form or another try to solve social problems via technical means; something that common wisdom states is a doomed approach. This may indeed be true if we remove the social aspect t from the equation. Without some form of ethical code the only thing you can hope to rely on will be honor among thieves.

Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.