This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
Professional organizations use ethics policies to protect their certifications instead of promoting ethical behavior.
Every major security certification organization--ISACA, GIAC, (ISC)2 and ASIS--has some sort of ethics requirements, which at first blush appears good for both the security community and the world at large. After all, doctors and lawyers have ethics requirements. And Sarbanes-Oxley requires every employee of every covered company to annually sign off on what is effectively an ethics statement.
However, these security organizations seem to use ethics requirements as more of an excuse to protect the certification rather than having any real interest in promulgating ethical behavior by their members or constituencies.
These groups like to say that they certify knowledge, not qualifications for employment. However, aside from the Professional Certified Investigator (PCI) from ASIS, which requires the ability to identify potential ethical conflicts in investigations, none of the traditional information security certifications (CISSP, GIAC or CISM) has ethics as part of its curricula. Clearly, they don't view ethics as part of the day-to-day knowledge or skills necessary for a member of their organizations to do their job.
The security certification groups also like to talk about how security people are in trusted positions and should be certified much like lawyers and doctors. Yet while doctors and lawyers in many states
If that wasn't enough of a problem, we also have a marked lack of consistency among the organizations' ethics policies. An ethics policy--like any security policy--should be short and to the point, acting as a high-level guidance document. ASIS and ISACA have very good ethics codes posted on their Web sites. (ISC)2's is a bit wordy and its ordering is confusing. GIAC's policy highlights my concern about ethics being used to protect the certification rather than the profession by not only specifically calling out "Respect for the Certification," but also ranking it above respecting one's employer and one's self.
Finally, there is a lack of transparency in the process of handling ethics violations. Although all four organizations publish a process for complaints, only ASIS fully explains the entire process, including appeals. I'm told that GIAC at least separates the ethics team from the team that grants certifications, but that is not publicly documented. Similarly, the Web sites of these groups do not disclose how many members were disciplined or what percentage of claims led to disciplinary action. (GIAC does hint at this by listing the "number of students terminated/ revoked for plagiarism or other ethics violations," although how this relates to certified members is unclear.) Additionally, the sites fail to distinguish between individuals who let their certifications lapse or had them revoked.
So what we have are organizations that claim they want professional respect and therefore have ethics policies, yet do nothing to actually encourage ethical behavior. We as a profession have two choices when it comes to ethics: We either need to train ourselves appropriately or stop talking out our hats about it.
This was first published in July 2007