Professional Ethics
Cutaway’s post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” [link to https://cm.rsaconference.com/US07/catalog/profile.do?SESSION_ID=2238&form=searchform&ts=1171481000500 no longer works] which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard’s expert moderation, I remain under-whelmed by the idea of certification authorities enforcing ethical standards. All of the panelists avoided answering questions related to the number of complaints they had received and number of members actually disciplined.
I’m going to limit my comments for the most part to (ISC) since I haven’t had any interactions nor am I member of the other organizations. My first issue is a lack of transparency to the process by which investigations are done and the apparent lack of any appeals process. After talking privately with Cutaway, I found out that at least in the case of SANS, the ethics committee is not part of the GIAC certification team, which is an excellent start to improving things.
My next issue is that (ISC) requires that potential CISSPs read and sign a statement of ethics. That’s all well and good, except at no point is there any reminder of what you signed or any requirement to reaffirm that such a code exists. Even my employer requires that I sign a document like that each year.
Finally, at least one speaker (unfortunately I don’t remember which one) made the statement which the rest of the panel agreed with: “We certify knowledge, not qualifications for employment”. I’m curious how they are certifying my knowledge of ethics when:
- There is no discussion of ethics in any of the training.
- There are no questions about ethics on the CISSP exam.
- Ethics is not part of the CBK
So what it sounds like to me is that (ISC) is really using the ethics requirement as a reason to protect the name of the certification and not to advance either the individual or the profession. (ISC) and other groups like to equate security professionals to lawyers and doctors, if they are really interested in doing so, they should be providing actual training and discussion about it and not just use it as a hammer when convenient.
Update: Since some folks have asked me, the California State Bar publishes the Ethics Hotliner [link to http://calbar.ca.gov/state/calbar/calbar_generic.jsp?cid=10132&id=1112 no longer works] which covers news and developments covering ethics issues. Bar rules are handed on a state by state basis, presumably other states have similar offerings. Also I’m told that chiropractors are required to take safety and/or ethics classes as part of maintaining their certification which is good for four years. Several states including Texas and Nevada specificly require ethics training as part of the mandatory continuing education needed to maintain medical licenses while other states such as Massachusetts requires both a course of study on current regulations and a course on risk management study.
[Image is Ethic&Disciplin from NathanaelArcher]
The security industry lacks self-regulation and any barrier to entry, two hallmarks of a big-P Profession. Discussing “professional ethics” in this space doesn’t go very far because there isn’t even a common ethical grounding across the certificate mills.
I’ve never ever heard of anyone losing their certificate for an ethical breach. I *have* had a representative of a popular certificate mill tell me that plagiarism was not an actionable breach of their ethical code.
Actually, I take that back. I have heard of ethics actions against people who cut into the various certificate mills’ revenue streams by copying their “boot camp??? materials.