Given its importance, we assume a standard of ethics exists in cybersecurity. However, is this assumption accurate?
First, cybersecurity certification is high on the list of hiring requirements. And the community treats certifications with a special reverence. Secondly, many cybersecurity professional hold multiple certifications. And they proudly display them inside their online profiles and their email signatures.
What’s most important though, is that every certification has a required a code of ethics.
A Code of Ethics
The certifying agencies have a formal code of ethics and their members must follow to it. Enforcement of the code is the responsibility of the owning agency and its members.
Fortunately, the code of ethics for the different agencies is very similar. Nearly all include requirements their members to protect society, and to foster public trust, through honorable, honest, and responsible actions.
Herein lies the problem
Each time there is a cybersecurity breach the cybersecurity staff faces an ethical dilemma. Should they remain quiet and let the company make an announcement? What if the announcement is delayed? How long is it appropriate to wait?
Conversely, should they act as a whistle-blower and release the information themselves?
Unfortunately, the decision is not an easy one; especially when privacy information is involved.
Cybersecurity professionals, and especially the leaders, are failing to live up to their oaths each time they remain quiet, following an incident where consumer information is stolen.
By choosing to remain quiet, they are placing their own welfare ahead of the common good, and failing to act honorably, honestly, and responsibly.
So is there ethics in cybersecurity?
At best, they is some serious doubt.