IT Security and EthicsShould Security Leaders be Held to a Higher Standard?
In my experience, IT security leaders are not held to any different standards than other executives when it comes to dealing with vendors. The ethics of accepting favors or - let me be frank - bribes from vendors is quite common. I've seen some environments where it's a mandatory topic of discussion; senior employees are told the policy and are expected to follow it. Mostly, though, it seems to just be "understood" that if you're accepting favors you're doing so because the vendor expects to influence you and that you've compromised yourself if you start down that path.
During the course of my career, I've seen only a couple of extreme incidents of this type. In one case, a vendor's sales representative took a decision-maker from a customer out to a club and paid for drinks and entertainment. Word of that incident got around, and it damaged both the career of the executive and the sales rep, though there was no formal disciplinary action. The situation was tricky because the customer was a good client in long standing, so there wasn't a direct "quid pro quo" that anyone could point at.
Outright bribes and gifts seem to be less of a problem at the executive level than failure to completely disclose corporate interest.
Honestly, it hadn't occurred to me that anyone would do something so stupid in a professional context until that incident, but afterward I made sure that my VP of sales and his team knew that was not how we were going to do business. Subsequently, I had a reseller in the Pacific Rim imply that we needed to "sweeten the pot" for a relative of his who worked at a government ministry - perhaps with some stock options - and I simply told him flatly, "I'm going to pretend that was a joke, so I don't have to tear up our partnership agreement."
Outright bribes and gifts seem to be less of a problem at the executive level than failure to completely disclose corporate interest. I was involved in a situation a few years ago with an IT director at a major hospital who was channeling business to a start-up run by a few of his friends. That might have looked suspicious enough, but he was on the start-up's board of directors, too. It gets a bit harder to sort out what's right when you've got venture capitalists on your board of directors saying "we invested in you, and we think you should do business with this other company we also invested in." I've experienced that kind of pressure before; it's very difficult to navigate it cleanly.
The best advice I can give anyone is to always make sure you are clear at all times whose interest you are representing, and to not try to advance two interests at once. It's always easiest to tell if you're getting on thin ice if one of the interests you're advancing is your own. If you're ever about to do something and think you might possibly get in trouble with your board of directors if they knew about it, then that's a pretty good warning right there.
Most of us, nowadays, are properly disgusted with the revolving door cronyism and pork-barrel politics we see in Washington. That is what the bottom of this particular slippery slope looks like. We've all got to hold ourselves and our peers to a high standard of conduct.
Marcus Ranum is CSO of Tenable Network Security. Since the late 1980s, he has designed a number of groundbreaking security products.