An actionable code of ethics for cyber-security

Cyber-security leaders are increasingly making high-stakes decisions that affect business continuity, customer trust and even national resilience, yet formalised professional accountability has not kept pace. Clear guidelines, as mapped out in a code of ethics for cyber-security, would ensure teams know their own operating parameters while also establishing expectations with leadership and others about how cyber-security professionals are expected to conduct themselves in what could be stressful and critical times. 

 

The understandable challenge, though, is that many organisations simply may not know how to develop a code of ethics that specifically addresses cyber-security. Where does one begin? And what is a solid methodology for ensuring that the code, upon implementation, doesn’t just get tucked away on some “digital shelf”?

 

Here are five steps for developing a strategic code of ethics for cyber-security. These steps guide informed and responsible decision-making, even under the pressure of a constantly changing landscape.

 

1. Convene the right team to develop and draft the code

As with any organisation-wide policy, the best starting point is building the right team. In this case, it is important to look beyond your cyber-security experts. Of course, they will be your go-to subject matter experts, but other functional roles must be involved. A strong code development team comprises cyber-security experts, compliance officers, data/privacy officers, legal, HR, vendor risk managers and operations stakeholders. 

 

This cross‑functional team can define a clear, realistic methodology and timeline for building the code. This upfront work will set clear expectations, establish momentum and ensure that the code is pragmatic, relevant and tailored to the organisation’s nuanced risk environment.

 

2. Benchmark other codes and use them for guidance

When developing an adoptable code of ethics for cyber-security, there is no need to reinvent the wheel. As the team begins to determine areas of focus, such as organisational values, relevant laws and regional considerations, benchmarking other publicly available codes can help refine the development process. This step is not meant to be a copy-and-paste exercise; instead, it is intended to help your team identify relevant themes, language, applications and coverage areas as a starting point for your draft. Benchmarking also helps inform design decisions such as word count, graphics, accessibility and usability. Codes can take many forms, so looking at other examples helps build a code that fits best for the organisation. 

 

For instance, you could look to the UK National Cyber Security Centre’s Cyber Governance Code of Practice or ISC2’s global Code of Professional Conduct, which outlines key principles and ethical standards designed to help cyber-security practitioners:

• Act justly, fairly and responsibly.
• Make ethically sound decisions in complex situations.
• Foster trust with clients, colleagues and stakeholders.
• Uphold the reputation and integrity of the cyber-security profession

3. Get feedback from internal teams for real ethical challenges

The draft of your code may cover all the right boxes on paper, but will it be clear and practical enough in execution? Getting feedback from internal teams will help ensure that the process is applicable and relevant, as well as aligned with the organisation’s actual risks and culture. You can use lightweight surveys to surface top ethical pain points that security teams and employees actually experience (e.g. conflicts of interest, vendor pressure, cultural resistance to security, the push to move fast for innovation’s sake vs protecting due diligence, etc.) Talk to your teams about times and situations in which there was no clear “right answer.” What can you learn from those examples?

 

Another approach is to conduct an internal focus group, which can serve as the litmus test of whether the code is transparent and easy to apply in real-world scenarios. Participants can also help you identify any missing areas. For broad representation, it is best to create focus groups by role and job level, including leaders, managers and individual contributors across key business functions (finance, ops, product, marketing, etc.).

 

4. Implement and adopt the code

As employees and security teams face tough decisions (and cyber-risks) every day, they need clear expectations related to cyber-security ethics and professional conduct instead of unclear or ambiguous expectations guiding decisions and behaviour. It is therefore important to set the vision and tone of the code from the top as you roll it out across the organisation. Executive leaders can connect the dots by defining and communicating why the code matters, to whom it applies and how it supports responsible behaviour across the organisation. Middle management also plays a critical role in helping model ethical behaviour and is often the first line of support for employees when seeking guidance or advice related to an ethical challenge. Holding regular discussions about ethical decision-making and reviewing the code of ethics in one-on-ones or team meetings throughout the year are effective ways to bring the code to life.

 

Indeed, a clear code should become table stakes, serving not only an organisation’s cyber-security leaders and practitioners but its employees as well. Use existing onboarding, training and enablement channels to implement and communicate the code, and consider building role-based micro-modules (e.g. for developers, sales or IT support). Additional Code-related tools, resources and awareness materials can help boost engagement and adoption. For cyber-security professionals and partners, you can integrate expectations into contracts/SOWs, operating procedures and performance reviews to streamline implementation and encourage adoption.

 

5. Review and refresh the code regularly

Executive leaders must champion repeated communication and storytelling that brings the code to life. Accordingly, they should revisit the code on a predictable schedule (i.e. every 18 to 24 months or even sooner, given the speed of emerging technologies such as AI) to ensure it becomes a living document that can strengthen trust, reinforce accountability and support principled decision-making. Use feedback from incidents, audits and employee surveys to refresh the code.

 

A great way to make sure the code is dynamic and responsive to ever-changing threats is engaging in tabletop exercises based on scenarios that call for on-the-spot, ethical decision-making. In short, champion repeated communication to all stakeholders across the organisation, as well as to third-party suppliers.

 

Elevating the cyber-security profession

A code of ethics for cyber-security elevates both organisations and the cyber-security profession. Many of today’s most consequential security decisions sit in ethical grey areas such as varied or unclear data retention timelines, uncertainty related to vulnerability management, confusion as to what to do about ransomware attacks and balancing AI innovation and risk, especially where compliance frameworks and regulations provide limited guidance. 

 

In these high-pressure moments, professional judgement, not just technical skill or regulatory adherence, determines outcomes that affect organisations, employees, citizens and national resilience. A clear code of ethics for cyber-security will guide that judgment.

 

---

 

Scott Beale CC is ISC2’s CEO

 

Main image courtesy of iStockPhoto.com and Parradee Kietsirikul