Business Ethics

Business Ethics in the Cybersecurity Industry is Far From a Given

The very word ‘security’ conjures up feelings of safety, honesty, and integrity.

Business Ethics on the other hand conjures up this;

Business Ethics

[The irony is, I completely stole the ‘Demotivator’ idea from!]

The phrase ‘business ethics’ itself is used as an example of an oxymoron, like ‘military intelligence’, ‘happily married’, and ‘PCI compliance’. But that’s because it is not well understood by the vast majority of the population. After all, how do you teach morality?

Business ethics is the difference between right and wrong. Not in terms of business decisions, but in terms of accepted societal norms; don’t steal, don’t lie, don’t dump toxic waste and so on. Corporations should be every bit as accountable to society as are the individuals themselves. We shun adulterers, thieves, letting agents and so forth, yet we allow Amazon/Google/ et al to get away with enormous tax shelters.

Negative connotations aside, business ethics is almost the same as Corporate Social Responsibility (CSR). I think most people will agree that more responsibility is better than less.

Unfortunately, the security industry has just as many ‘profit-before-service’ CEOs as any other industry sector/vertical. But to me this is somehow worse, like a crooked cop.

As security professionals, we have an enormous amount of influence over our clients. This is the Information Age, and we are the ones who are supposed to help them protect their data. From intellectual property to personal information, the impact of loss can be very severe at both the corporate, and personal level.

Dramatic though this is, if a company goes out of business because of a data breach, the livelihood of every family of every employee is affected. And what about identity theft? This can be absolutely devastating to the victim.

Yet despite this responsibility, it is still seen as ‘just business’, with no thought to either the short term best interests, or the long term sustainable growth of our clients.

What are the Signs?


Here are a few warning signs of whom to avoid:

  1. The organisation has no obvious vision or values – This I have mentioned a dozen times at least, and is a direct reflection of the CEO’s lack of vision and values.  Perhaps worse than this, is an organisation that either OUTSOURCES the development of their vision statement, or asks their employees what is should be.  See Loyalty vs. Personal Values.
  2. The other organsation’s vision and values don’t match those of YOUR organisation – just as individuals can be incompatible, so can companies.  If yours is passionate about community outreach, or being ‘green’, or charitable contributions, and your partners aren’t, this could lead to conflict in the area of business ethics.
  3. They try and sell you as much product as possible without making any effort to put this technology into context. Usually with the necessary consulting wrappers. See Insecurity Through Technology.
  4. Their products are sent to market long before they are ready and they don’t work as advertised. Or they don’t support your compliance efforts.  That said, the due diligence is entirely your responsibility, and an assessment of a product is really quite simple. See Vendor Due Diligence: Assessing Cloud / Service Providers as an example.
  5. Ex-employees are less than flattering, or – hopefully for them –  just say nothing.

Sustainability is a direct extension of business ethics, and you owe it to both yourself, and your organisation to ensure that you are doing your part.  Companies are the new communities, so there is no such thing as “It’s only business.”

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.