I’ve been thinking about ethics as part of evaluating my values system, particularly the ethical standards I have accepted as part of my professional life.

Most technical certifications do not have ethics statements attached to them. Security certifications do. The first one I signed was the ISC(2) Ethics Standard. The second is the CISA code of ethics.

These weren’t too bad.

The one that terrified me was CAPT’s ethics following the MBTI Qualifying class.

The realization that I can cause harm chilled me. Can I cause harm in the course of info sec activities? Sure–I can conduct an investigation wrong, I can fail to be diligent regarding information integrity, etc. But the ethics discussion around the MBTI affected me deeply.

I’ve talked to other geeks who have signed similar codes of ethics. Some of them see it as just another hoop to leap through and don’t consider the document as meaningful. I suppose, to some extent, I felt the same way once, before I actually started doing info sec work and began to really understand the position of trust I inhabited.

The more I think about this, the more I realize the dangers of turning info sec into a commodity. Do people who are motivated only by the desire to progress at any cost recognize the nature of their work? From what I’ve observed, I don’t think they do. I see geeks jump through their hoops and proceed to abuse their power and position for their own gain. The welfare of the organizations they work for becomes lip service. In some cases, these same geeks look greedily at the work I do, figuring that it’s simple. Perhaps the tech is simple, but the surrounds are complex–protect the confidentiality of the clients, protect the integrity of the evidence and data, keep an open mind so that nothing is missed, and commit to respecting one’s limitations and strengths. It’s more than just tech work. It’s about people and people’s lives.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>