Skip to content ↓ | Skip to navigation ↓

I am starting to wonder if I have been in the industry of information security for too long now with 30 years under my belt. I am equally wondering if my style and approach to doing the right thing with the application of ethical conduct is misplaced in 2014. Lastly, I am also starting to wonder if I must evolve and change to align with what seems to be a growing industry norm.

First off, even in my early years in the industry, I was offered multiples of what we may refer to here as ‘brown envelopes.’ I never accepted them, while others in key positions at my employer at the time who did, were caught and subsequently dismissed.

In 2014, this element of skulduggery again raised its head when I was asked to visit an automobile manufacturer of all terrain vehicles, with a view to providing the company with security and penetration testing services. Meeting with the CISO, I was invited to the canteen for a discreet discussion where it was suggested that to win this business, there would be a requirement to supply some oil to the wheels – to the tune of 40 percent of the profits handed back in the form of one of those ‘brown envelopes.’

Now thought I was keen to win this business, I was also very much aware that to enter into such a contract was not only dishonourable, but could well impact my personal liberty. Sometime later, I was again invited to attend a meeting with a view to being considered as part of the RFQ process, and here I was again reminded that there was a backdrop of a ‘consideration.’

Post that meeting, reflecting on the awareness of this situation, I was left with no alternative but to pull out, notwithstanding this was a business deal which was looking very lucrative. I guess here, my ethics got in the way of making money.

Again, when it comes to those cumbersome ethics of inter-organisational security actors, there can be a massive conflict of opinion where it may not be considered the right thing to speak out. Here, some organisations in the UK trading space see no problem with exposing their client base and partners to the potentials of cyber-crime and compromise.

For instance, when we look at the current push to deploy smart meters into homes, this has been placed very much on the back shelf when it comes to security, notwithstanding known security issues and vulnerabilities are in play. When it comes to protecting client confidentiality  and their sensitive information in the form of banking details  it would seem that there are no internal worries when they are exposed, as it is only the multiple thousands of employees, contractors and third-parties who have potential access to such sensitive assets.

As if it were not enough to dismiss the ethical code-of-conduct which should drive us to do the right thing as security professionals, these assets were available for easy download to any form of media one wished to introduce. Be that their own smartphones, USB key, or mass 20GB storage device, it mattered not as all such mediums were welcome to unfettered access.

All of this was was tolerated by the in-post CISO, his security managers and the host of multiples of security professionals. Thus, here the ethics were in place to of course, safeguard the integrity of the organisational reputation by keeping things under wraps, but they disregarded their exposed public, business partners, or the fact they were presenting the governance agencies with a falsified dashboard.

When it comes the information security industry, we should be going about our business with a level of ethics which are not misguided to such an extent where we are happy to allow insecurity and exposure to be tolerated. If however we do, then we are accepting that insecurity is the norm, and by inference accept that its onward impact on the economy, and its populous is okay.

If we are to believe that such an approach is sustainable and abiding by the code of organisations, such as the ISSA and ISACA, then maybe we need to think again. If we as professionals are to engage in such dishonest activities which seek to exploit those who are employing us, then we are no better than the rest – should such a person also be considered a criminal?

So, I started this conversation wondering if my own approach to security, along with the application of ethics is correct in 2014. While this may not be in ‘fashion’ or may not be held in high esteem by some, I stand by the fact that these qualities are part of what being a security professional stands for in 2014and they are thus essential to the survival of our digital economy.


JW1About the Author: John Walker is a Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), CTO and Company, Director of CSIRT, Cyber Forensics at Cytelligence Ltd., Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts,and is a Certified Forensic Investigation Professional.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.


10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Professional Ethics and the application of sound moral judgement are important in any profession. For the long-term success of the profession itself and the standing of the members of that profession. In my opinion it's even more important for a security practitioner.

    It's important that organizations seek us out and trust what we say; our work is important. Crimes and disasters (often financial in nature) can be the result of a failure to believe and follow our advice. One way to help in this process is an unassailable reputation for honesty and firm moral conduct.

    If some of us inculcate that we're untrustworthy, it rubs off on all of us. Here in the states, lawyers and used car salesmen are examples of people you don't want to deal with, because they're sullied with poor reputation. Doctors less so.

    Also, the truth can be a defense for you, politically and legally; if you present and document the truth and your honest advice carefully and clearly, failure to follow it won't reflect poorly upon you. We can find stories of contractors and consultants tasked with corporate security. When a newsworthy breach occurs, won't it be better to say, if challenged: "well, it's a tragedy, but you can see here in our previous engagement that we warned of this–it's bad luck that the customer wasn't able to fix it in time."

  • Ervin F.

    Sad but true, the norms of the society have come to expect unethical behavior. Then again as I watch management hire anyone to become a security professional based not upon experience, certification, or other qualifiers what can be expected. Modern management teaches that security should be considered as a "risk" and that anyone trained in risk management can manage the security of the organization. After all simply look at the cost of dealing with the threat and handle accordingly (avoidance, retention, reduction, and transfer), what this fails to consider is that security is an entire group of classes of risk – not a specific risk. This is caused by poorly informed upper management. Managers are hired to help reduce friction in an organization, so their mindset is already set to enable the worker not on whether or not a hard choice should be made. Don't blame them, simply understand that they have been conditioned and work within that framework. Security professionals however (at least the ones that I know), start with a completely separate sense of ethics and responsibilities, a deeper understanding of the threat environment or that the threats are real, and understand that there is an evolving threat no matter the day. Not all risks are threats but all threats are risks, one is passive one is active – security professionals need to deal with threats – the active components. These professionals need to be aware that they will often work for individuals who only see making things work as an option, but sometimes the ethics behind making things work actively exposes us to those very threats that we guard against.

<!-- -->