IT@Intel Blog

Previous Next
Click to view Matthew Rosenquist's profile
3

Ethics represent the very cornerstone by which any security organization is built. Without them, a security team is doomed. They will not be respected only feared, they will not be supported only ridiculed or ignored. It is a downward spiral of failure for security organizations practicing unethical behaviors. Management and customers will lose faith, leading to a loss of funding, access and representation. Resources, tools, and overall capability will diminish, leading to loss of effectiveness and value, further advancing the loss of faith by management and customers. Concealment, inconsistency, indifference, or treading in the gray areas of ethics is just prolonging the inevitable trip on the downward slide to defeat. So how can it be, many security professionals have a casual attitude and apathetic commitment toward ethics?

I have been reading some disturbing stories about security professionals being unethical and in some cases fired or arrested for their activities. They stories aren't hard to find. Trusted security people breaking into systems and networks, deciding not to report criminal activities, or ignoring inappropriate activities to avoid complications are common examples of poor ethos. People violating policies they are employed to enforce and uphold is downright despicable. In many cases, what are worse are the comments left by readers, condoning inconsistent behaviors on behalf of security. Comments like "pick your battles", "follow your conscience", or you should only be ethical if others are, is very upsetting.


Reader Beware
I am a fanatic about ethics. I firmly believe ethics, following a code of conduct, is the foundation of every professional security organization. Without consistent ethical behavior, a security team is destined for failure, will open the organization to increased liability and sour future investments in security.

Okay, let me be the first to admit, I have it easy. The security professionals I have the pleasure to know and work closely with are of the highest moral caliber. I am fortunate to work in an organization which embraces the principles of ethics. We derive our support from the corporate principles which are ingrained within the company as a whole and are driven out to all corners. My company (I am a shareholder too) spends time to train, discuss, and reinforce ethics with all employees.

I support ethics in all vocations, but some are more important than others. Security personnel must be held to a higher standard, just as judges and law enforcement must be viewed as incorruptible. Ethics must also reign supreme in financial and medical industries as well. Nothing less is acceptable. We too, as security professionals, should be put under the microscope and make firm commitments to consistency and the highest level of behavior. Our organizations place trust and faith that we will be honest, capable, and perform our duty in an unwavering manner.


Intel's Security Operations Center - Code of Conduct
When I spun up Intel's Security Operations Center, every employee was trained on ethics and we developed a Code of Conduct to insure the expectations were clear and as a team we would all conduct ourselves in a conservative manner.

Intel's Security Operations Center - Code of Conduct
1. Provide diligent and competent service to principals

  • Provide timely, professional, and productive response to our customers, peers, vendors, business partners, and management
  • Act honestly, justly, responsibly, and legally
  • Act impartially to all groups, persons, and organizations

2. Protect and conserve Intel property, resources, and reputation
  • Preserve and protect the value of corporate systems, applications, and information
  • Operate fully within the law, observe corporate policy, and align efforts with standard operating procedures
  • Disclose waste, fraud, abuse, and corruption to appropriate management or oversight bodies

3. Promote and preserve company trust and confidence of the team
  • Take care not to injure the reputation of the team through malice or indifference
  • Be truthful and accurate in representation and all communications
  • Respect the trust, access, authority, and privileges the company grants you
  • Promote, comply, and reinforce company security policies, procedures, and intentions
  • Avoid conflicts of interest or the appearance thereof


Everyone is ethical, right?
Ever ask somebody if they are a good person or ethical? I will bet you will hear some variation of the same answer, "yes. Of course I am!". How many people openly admit or believe they are not ethical? So are you? Yea, exactly what I thought you would say.

So, Mr/Ms Ethical, you wouldn't be averse to answering a few ethics related questions? These are a subset of questions I ask when delivering the ethics class to our Security Operations Center. They should be easy for an ethical security minded professional such as yourself...

  • 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"
You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: _____
  • 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.
You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software
  • 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.
You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software
  • 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?
You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management

Life is vague. Ethics don't need to be.
We all find ourselves in unique circumstances which are complicated and tricky. Applying a code of conduct illuminates the right ethical path. Allowance of ‘flexible ethics' and ‘gray area' practices are ultimately self destructive and leads to instability and demise. Make a stand.


So what are the answers to the above questions? Well, as we all indicated we are ethical, their really is no need for me to provide the answers. We all know them.

Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, ethics
Average User Rating
(0 ratings)


Add a comment Leave a comment on this blog post.
Nov 14, 2007 6:39 PM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist

I see a couple of fellow bloggers have picked up on this topic. “Andy, ITGuy” at http://andyitguy.blogspot.com/2007/11/are-you-ethical.html states “Ethics has to be at the core of who we are and what we do if we really want to succeed in life and in our careers”. Well put. Check out his blog and look for his “I read your email”-shirt story for a good chuckle.

Martin McKeay at the Network Security Blog
http://www.mckeay.net/secure/2007/11/ever_heard_of_a_code_of_ethics_1.html
disagrees that Ethics are easy but agrees “security professionals have to have a code of ethics and be held to a higher standard than most professions”. So far he is the only person to post answers to some of the questions. He nailed the first question perfectly. Outstanding!

I still contend, with a little bit of thought and a trusty Code of Conduct, it is easy to identify the ethical course. What is not easy, is always taking that path.

Ethics are not complicated. As kids we were all taught some derivative of the Golden Rule (some incarnation of “treat others as you would like to be treated”) which is basically ethics. My 4 year old daughter knows the difference between household policies and the law. She understands home policies are created by the adults and are adjusted as needed by them. She is also quick to point out to any passengers in our car that they must wear their seatbelt, “it is the law” and even adults are subject to that rule. Having a 4 year old’s voice coming from the back seat firmly stating “it’s mandatory!” is darn precious. It illustrates what code of conduct is acceptable and not all rules are equally weighted. She knows the law supersedes home rules. For us professionals, the same principles apply. From an ethical perspective, governmental regulations and laws supersede corporate policies, just as corporate policies supersede departmental procedures. A security professional is bound to the highest set of principles while knowing who has the authority to change the expectations at different levels.

Jul 27, 2008 10:27 PM Reply Guest mae anne tabasin

thanks a lot for your information. It really helped me about my studies in IT. hope you continue help the people and the world... God Bless....

Aug 30, 2008 7:49 AM Reply Guest NFL Picks in response to: mae anne tabasin

This is a great post, it helps me a lot. There should be