by Dr. Shuyler Jan Buitron, DCS, MSIA, CISSP, MCSE
Throughout my information technology and information security careers, I have encountered many different philosophies and ways of operating. The information security professional represents the profession wherever he\she goes. I spent some time mulling over the responsibilities of the information security professional or for the profession in general. I came up with nine overall duties or obligations for the person working in the profession.
Keep in mind that some of these tenets may reflect the (ISC)2 Code of Ethics (ISC2, 2010). I read their code of ethics at least once every few months. Any similarities are unintentional. There are probably more obligations to add; this is a quick list.
1) Protect the Commonwealth
This concept encompasses the fact that our profession reaches into all aspects of protecting the companies for which we work, the people around us, and the country in which we live. Our obligations do not cease when we leave work.
2) Educate yourself, stay current
Keep reading and learning. Because the threat landscape and the business of information security are continually changing, read up on what is affecting the world of InfoSec every day. It doesn’t hurt to study for and pass certification exams. And of course, attend security conferences when you can. These types of activities keep the mind active and help the professional to be aware of issues that will shape the future business of security. In the early 1980s, there was little attention paid to the malicious insider threat. Today it is a hot topic in the information security community and beyond.
3) Share knowledge
When you learn something, share it with others. They, in turn, will probably share information with you. No one information security professional can know everything. (If you meet someone who claims to “know it all,” they probably do not.) Interacting with other professionals to circulate knowledge enhances the profession. We all grow thereby. In the long run, the profession grows too. Knowledge-sharing includes sharing knowledge with those outside the profession. It is our job to educate and inform people who do not spend their days immersed in the business of security, as we do. It is our responsibility to dispel FUD (Fear, Uncertainty, and Doubt) and present a realistic picture of threats, responses, and preventions.
4) Keep your ethics intact
When a person represents the interests of the information profession, people expect the professional to adhere to a code of conduct. I have seen security professionals go out of their way to return lost keys or wallets to their owners. Responsible behavior also applies in the work environment. Presenting honest and realistic information to our peers, managers, and leadership is an absolute must. Security individuals should keep high standards in all aspects of their lives.
5) Mentor others in the profession
The information security profession is in high demand and needs more people to join the effort. Reaching out to mentor is a great way to expand the cause. What might surprise some people is that the mentoring process is not a one-way interaction. Often, the mentor finds additional learning while assisting a mentee than they might have otherwise. (This includes including females in the mentoring process, but that is another article).
6) Be active in the community
This activity ties in closely with mentoring, but it it is a way of encouraging the professional to join groups that may be closely associated with information security such as ISSA or Infragard. Being a part of other security-related groups in the community expands both knowledge and respect of the practice.
7) Preserve and protect the rights of co-workers and other individuals
In a subcategory of ethics is the requirement that a professional security person should not abuse their privileges in the areas where they work or live to peruse or exploit information to which they have access. Make sure and suppress personal curiosity and keep ‘want to know’ out of the picture when accessing ‘need-to-know’ information.
8) Stay creative and exposed to new ideas
Keeping creativity alive ties in somewhat with knowledge sharing, but the intent here is to take it further. I believe that a difficulty with the current state of the practice is that professionals may be bringing the same solutions to address new problems that face the information security industry. It’s time to not only think outside the box but to break the box. Maybe it’s time to reshape the box into a sphere or a dodecahedron.
9) Contribute to the Body of Knowledge
Last, but not least, the information security professional should make it a goal to contribute to the body of knowledge. Adding knowledge might not entail writing. It may be that one’s interests lie in building and testing networks, breaking things, deconstructing malware or teaching a security class to people at any level. Writing can be a good method of conveying the ideas from your work, but there are other methods. One can contribute creating YouTube teaching videos, volunteering in the community, or joining an organization like ISSA or those hosted by (ISC)2. There are several choices. Make it a goal to contribute to the industry in whichever ways you can.
(ISC)2. (2010). Code of Ethics. Retrieved from (ISC)2 as a previous version, now unavailable.
(ISC)2. (2018). Code of Ethics. Retrieved from https://www.isc2.org/Ethics#