ISC2 debuts code of conduct for cybersecurity profession

You get a code of conduct! You get a code of conduct! Everybody gets a code of conduct—including cybersecurity professionals, who just got a new one to reference in their day-to-day life.

In February, cybersecurity advocacy organization ISC2 rolled out its “Code of Professional Conduct,” a set of ethical standards for cybersecurity professionals, including:

• A responsibility to proactively secure emerging technologies like AI and quantum computing
• A commitment to report security vulnerabilities, shoddy practices, and unethical behavior that could put people and businesses at risk
• A promise to not inflate claims about expertise or qualifications, or cheat on exams

Entities like the Information Systems Security Association and United States Cybersecurity Institute have similar standards for their respective organizations.

They grow up so fast! ISC2 COO Casey Marks caught up with IT Brew to discuss the backstory behind the organization rolling out a code of conduct, which was based on input from almost 1,400 cybersecurity professionals. He said the new guidelines will serve as a shared foundation for cybersecurity professionals, helping inform their decisions.

“We have rightfully identified that we are probably not doing enough in the public space to give confidence to the public and to employers about when you hire a cybersecurity professional, how should they behave? How should they be acting?” Marks said.

The code of conduct signals a big “maturity moment” for the cybersecurity industry, Marks said: “The recognition of, ‘Yes, we consider ourselves a profession,’ is probably the single most important thing to then be able to say, ‘Okay, if we consider ourselves a profession, how do we hold ourselves accountable?’”

Stamp of approval. Jonathan Weissman, principal lecturer of cybersecurity at Rochester Institute of Technology, said ISC2’s code of conduct gives the sector the ability to be compared to other mature professions.

“Cybersecurity is now placed alongside other established professions like medicine, law, engineering, where ethical obligations are really fundamental and foundational,” he said.

Dave Brown, CISO and CIO of cybersecurity company Andesite, added he was appreciative of ISC2’s choice to solicit input from the cybersecurity community to form the document, and that he sees it as a good addition to the profession.

“Absent of a code of conduct, whether it’s your own individual one or one of an organization, people tend to just kind of run a bit awry,” said Brown, who’s an ISC2 member.

One thing Weissman wished the code included is consequences for individuals who violate any of its provisions. However, Marks said that’s something ISC2 is currently debating.

“There is not a specific compliance or enforcement mechanism,” Marks said. “That’s going to be debated amongst the membership in terms of how they want to hold themselves and be seen held accountable moving forward.”

Work in progress. ISC2’s Code of Professional Conduct is a “living, breathing document,” according to Marks, meaning it will continue to evolve alongside the industry.

“It’s not done. It’s not even complete in a certain way,” Marks said. “And I’m not sure when it will get complete, but it’s complete for today. It’s not complete for good.”