Network Security Blog

From Dictionary.com:

ethics (used with a sing. or pl. verb) The rules or standards governing the conduct of a person or the members of a profession.

It’s funny, but over the last several days this has been a major topic in my conversations with the people I work for and with. I have been contracting for the same company for two years now, and I decided that its time for me to move on. Part of the issue is the length of my commute, but the internal politics at the company also plays a part. My own personal sense of ethics have made me be very up front with my employer and let them know that I’m looking. So far, this seems to be appreciated.

As of last Friday, two of my co-workers became former co-workers. One left of his own free will for another job, the other left at the request of the company. Both already have positions elsewhere they are going to fill, and will hopefully be happier at the new position than they were here. In both cases I had occasion to speak to them, and the conversations touched on the ethics of security.

(Beware, fairly long rant follows)

In both cases, as soon as the co-workers left, all their accounts were disabled, the systems they had administrative access to had their passwords changed, and all remote services for the gentlemen was cut off. In both cases, it was what was expected by everyone involved, and it was the right thing to do. But some of the feedback I got from my former co-workers got me thinking about how much of a role ethics play in our chosen profession.

As a CISSP (Certified Information System Security Professional for those who don’t speak acronym), I was required to sign off on a code of ethics. As a (nominal) Christian, I have a prescribed set of ethics. As an adult, I have a set of ethics that have evolved over the years. Each of these set of ethics set their own particular boundries on my actions. What amazes me is how many other people out there have equally well developed ethics, but are willing to ignore them whenever it is convenient or profitable.

I have two acquantances, who are not in the security field, who fairly often do things I consider unethical. In one case, the person is simply amoral, has no concept of ethics, and just does whatever is going to have the best for him in the short term. He is not a bad person, but the concept of ethics an morality is simply beyond him. Luckily, he does understand rewards and punishment, and has learned not to perform actions which are illegal or will anger people. Usually the hard way.

The other acquantance has a good sense of ethics, but she goes out of her way to cross the line whenever possible. I have a much harder time understanding her mindset than I do his. Why does someone who knows the difference between right and wrong choose to do wrong? I suspect, in her case, that it is a form of rebellion against society in general and her mother in particular that cause this behavior. In any case, I try to avoid both of these people, even though we’ve been in the same circle of friends for nearly 20 years.

What does this have to do with security? Seperate from the code of conduct I signed when I tested for my CISSP, I have my own code of ethics. I feel that it is my responsibility to do my best to protect the enterprise I am responsible for to the best of my ability, and not allow harm to come to it either through my action or inaction. I owe it to my co-workers to be honest with them and deal with any problems face to face, rather than talking behind their backs. My boss has the right to know that I’m not happy with the current situation, and that I’m looking for a new job. When I leave my position, my current employer will be confident that I’m not going to perform a denial of service attack against there network. But not everyone has the same ethics I do.

How often do we read security headlines about an employee who was laid off and came back to take down the company network? Or a contractor who left a logic bomb behind and demanded money for the disable password? Or comes back with a gun? I can’t understand the mental process that go into making the decision behind any of these actions. And I hope I never do.

When I decided to become a security professional, I mentally trotted out my ethical ruleset and pondered which actions would or wouldn’t pass my moral firewall. I continue to do so from time to time, just to make sure that my moral compass points in a direction I’m comfortable with. Just as I make sure to take the time on a regular basis to update my skills, I take the time to review my actions, present and future, to make sure that I’m headed in a direction I’m comfortable with. I don’t think many people take the time to examine their own ethics, either inside or outside the security field. But I think it is something they should do.

As a security professional, our skills are one of the most obvious set of benchmarks that others measure us by. But a much less obvious, but perhaps more important, measurement of our worth is how others perceive our ethical character. Who wants to hire a security analyst who has a reputation for less than outstanding behaviour? Our reputation becomes more and more important as we specialize further in the security field. And, as many of us as there are, the security field really is a fairly small group who communicates fairly effectively amongst itself. Be careful what you do and say today, for it may come back to haunt you tomorrow.

In closing, while I have stressed to some degree the external aspects of ethics, personally, I take the internal aspects of my ethics the most seriously. How others perceive me is important, but it is much more critical to me that I percieve myself as honest and ethical. At the end of the day, I want to be able to go home and know that I did the best, most ethical job I could. I’m not perfect, I’ve done things in the past that have gone against my ethics, but I hope I’ve learned my lesson. I want to be able to sleep at night knowing that I have satisfied my own moral strictures. I hope you can do the same.