A majority of security professionals report ethics and values, or integrity and trust, to be one of their top five competencies. This is unsurprising as these are expected traits given the nature of the security profession. Interestingly, a minority place business acumen in their top five.

Similarly, companies that weave strong ethics and integrity policies into their core values tend to financially outperform other corporations over time. Key elements of these programs are a code of expected conduct surrounding behavior of employees including corporate leadership, suppliers and potential vendors.

Business ethics guidelines often include policy standards addressing prohibitions of behaviors that, while not criminal in nature, are viewed by the corporation as unacceptable. Companies recognize the negative reputational significance of actions that can project the appearance of impropriety or a lack of transparency.

The security function is often charged with administration of ethics programs within organizations. Activities can include awareness training, reporting and investigative efforts. As a result, there is higher visibility associated with the conduct of security leaders. Great care must be taken by those who manage these programs to ensure that internal and external dealings do not damage either the practitioner’s, or the company’s, credibility. While actions often have the best of intentions, consider the perception others may have because of your behavior.

Below are several examples of what we have seen over time. Any of these has the potential to damage your reputation should they become either internal or external public knowledge.

  • A for-profit organization using individual names and organization affiliations to promote their sales and marketing activities. Most companies have strict guidelines about use of service and trademarks by anyone other than their corporation. Utilize the processes they have in place to obtain their permission.
  • Attendance fees or expenses waived or offset by a scheme through the originating organization or supporting sponsors. Though perhaps well-intended, if your manager would not approve the item or activity as a budget expense, it is not a clever idea. It also likely exceeds your agency or company’s gift policy limit.
  • Serving as an advisory board member for one of your suppliers or potential suppliers. This sets up awkward relationships with other vendors. It also infers that your company is endorsing the product or service the supplier or potential supplier provides.

    “Just as an organization’s executive leadership is always under a microscope, so are security professionals.”


    There is an increase in security professionals falling for this tactic. An example would be Vendor “X” announces that CSO “Y” is now on their advisory board, promoting the practitioner’s name and title as associated with the vendor. The CSO is then invited to one or more promotional meetings masquerading as feedback sessions.

    Both companies and government agencies have strict policies against this. There are similar restrictions against pay-to-play publications.
  • Manipulating supplier invoice amounts through adjustment or added billings to create a set aside for travel and/or entertainment for you and/or your staff. While there are great business reasons for team building social events, this circumvents and likely violates your organization’s reimbursement policies. It is a career killer.
  • Hosting events, meetings or entertainment and having one or more subordinates pay the expenses to allow you to approve the expense report. While these may well be within your authorized budget planning, if you feel the need to hide the details from your manager or break up to expense to reflect your limits of authority, this is not considered by any organization as within their ethics standards.

Just as an organization’s executive leadership is always under a microscope, so are security professionals. This is especially true for those charged with administration of ethics programs.

Your actions, words and behavior are constantly being judged even when you are among colleagues. Do not believe for one minute that stories and assumptions based on observations, or even partial facts, are not repeated and passed along. They are. It is important that you stay above reproach and ensure that you and your teams lead by example.

Organizations and the security profession in general leaks information and shares it at lightning speed. The avoidance of reputational concerns and the foreseeable damage they can cause is not about political correctness. If you hide facts or convince yourself and your colleagues of spurious justifications for your actions during your professional life, your ethical reputation is at risk.