Codes Of Ethics

I'm all in favor of codes of ethics -- where they make sense. For example, law enforcement personnel need a code of ethics, but perhaps garbage collectors do not. Lawyers certainly do, but coin collectors less so.

Now I know some readers will say: "Ethics- Smethics, we don't need no stinking code of ethics!or similar. However ethics are not black and white. Many gray areas exist, and for guidance in those gray areas for professionals, a code of ethics is essential.

For non-professionals, or non-professional pursuits, a personal code of ethics is appropriate, whether explicit or implicit.

For example, three organizations involved with information security (GIAC, ISC2, and ISSA), have recently approved a Unified Code of Ethics for Security Professionals and I laud their efforts.

Why?
Well, it's for "Professionals" and "Security Professionals" at that. Anyone involved in security works in an area where ethical standards need to be high AND uniform. Security is all about risk management, and risk management is essential to all organizations -- if they want to continue to exist!

Also, and from a slightly personal perspective as I'm an information security guy from way back, "we get no respect" (thanks to Rodney Dangerfield for this slightly modified quote of his).

We get blamed for inconveniencing people (e.g. "damn password rules"), the business people usually see us as less than partners or equals, and even IT finds us annoying sometimes. Certainly this is partially our fault, at least historically, but a code of ethics is a great step towards being percieved as professionals who ADD value, not just cause inconvenience.

Codes of ethics? For professionals in business critical roles, a great idea. For anyone involved in security, whether military, police, parking maids, or information security, in my mind, essential.