CSE-02: The Security Professional's Role | Cybersecurity Ethics

Cybersecurity Ethics — Week 1 · Module 02

The Security Professional's Role

A profession is something you can be expelled from. A job is something you can be fired from. The difference is what your code obligates when those two consequences point opposite directions.

13 slides ~13 minutes Spinello Ch. 2 (security-professional lens)

Slide 2 of 13 · The threshold

What Makes Cybersecurity a Profession

Sociologists of the professions — Greenwood (1957), Goode (1960), and others building on mid-century occupational theory — converge on roughly five markers. Cybersecurity has all five.

The argument: if cybersecurity is "just IT work," your only obligation is to your employer. If cybersecurity is a profession, you carry obligations the employment contract cannot extinguish. Spinello argues the latter; this course follows him.

Slide 3 of 13 · The web of obligations

The Five Professional Relationships

Daily-priority order is the reverse of the codes' hard-case order. Most professionals never have to face the inversion. The ones who do are why we have codes.

Slide 4 of 13 · The structural problem

Trust Asymmetry

You see what they do not. That is the whole point of hiring you. It is also the entire ethical problem.

The structural condition: in every other relationship in the org — sales, finance, HR, ops — the principal has at least nominal visibility into what the agent is doing. In security, they don't. Trust asymmetry is the security profession's defining structural condition. Codes exist because of it.

Slide 5 of 13 · Code 1 of 4

ASIS Code of Ethics

ASIS International. The largest membership association for security professionals globally. Code applies to physical, corporate, and information security practitioners.

Core obligations

Conduct lawful business; respect employer's confidentiality; observe rights of others; cooperate with peers; pursue continuing education; refrain from conduct that injures the profession's reputation.

Where it bites

ASIS holds members responsible for refusing assignments that conflict with the code. Holding a CPP, PCI, or PSP credential exposes you to ASIS disciplinary review.

The ASIS frame: security as a stewardship profession. The practitioner is entrusted with people, assets, and information. Stewardship implies obligations beyond the contract.

Slide 6 of 13 · Code 2 of 4

ISACA Code of Professional Ethics

Information Systems Audit and Control Association. Governs CISA, CISM, CGEIT, CRISC certification holders.

Core obligations (paraphrased)

Support implementation of and encourage compliance with appropriate standards; perform duties with objectivity, due diligence, and professional care; maintain privacy and confidentiality of information; serve in the interests of stakeholders in a lawful and honest manner.

Where it bites

ISACA operates a formal investigation process. Documented violations have led to certification suspension and revocation. The Code is invoked in litigation involving certified auditors.

The ISACA frame: independence and due care. Auditors hold a public-trust role that the auditee cannot extinguish. Conflict-of-interest disclosure is non-optional.

Slide 7 of 13 · Code 3 of 4

GIAC Code of Ethics

Global Information Assurance Certification (SANS Institute affiliate). Governs holders of GSEC, GCIH, GCIA, GCFA, and the broader GIAC catalog.

Core obligations (paraphrased)

Practitioner-style "I will" statements: act lawfully and honestly; protect confidentiality; do not use credentials to misrepresent qualifications; do not knowingly use insecure practices; support the security community; respect public, certification, employer, and peers.

Where it bites

GIAC's recertification cycle (4 years for most credentials) is also a re-attestation cycle. Misconduct can result in certification revocation.

The GIAC frame: hands-on practitioner ethics. The person who actually configures the firewall, runs the incident response, or performs the forensics. Read the code at giac.org for the authoritative wording — the bullets above are summary, not verbatim.

Slide 8 of 13 · Code 4 of 4

Ethics FIRST (FIRST.org)

Forum of Incident Response and Security Teams (FIRST). Specifically targets incident response and security operations. See first.org for the current code text and version.

Trustworthiness

Maintain confidentiality of incident details; coordinate with peers; honor non-disclosure obligations.

Coordinated vulnerability disclosure

Engage vendors before public disclosure; allow reasonable patch windows; do not weaponize.

Evidence handling

Preserve chain of custody; respect victim privacy; do not retaliate against attackers (even attractive targets).

Why Ethics FIRST is distinctive: built specifically for incident response, where the timeline collapses normal deliberation. Coordinated disclosure, evidence handling, and the "do not hack back" prohibition are operational rules — not aspirations — for FIRST team members.

Slide 9 of 13 · The shared baseline

Where the Four Codes Agree

Public-interest service is the only line every code states explicitly. When practitioners say "I have to do X for the company," the codes do not have a category for that. They have categories for client, peer, self — and public. The company can pay you. It cannot release you from public-interest duty.

Slide 10 of 13 · The hardest conflict

Confidentiality vs. Disclosure

Where every security professional eventually lands. The codes give you a framework; they do not give you cover.

The professional reality: the codes do not promise that doing the right thing will be cheap. They promise the framework exists, that peers have walked through it, and that your professional standing depends on whether you can defend the analysis.

Slide 11 of 13 · Reference case

NSO Group and the Pegasus Question

A defining case for "what does the code obligate when the code conflicts with the paycheck."

The case is taught because every part of it was foreseeable. Practitioners who read their code knew the conflict before they accepted the role. The question the case asks is whether the code mattered enough to override the offer.

Slide 12 of 13 · CSF anchor

This Module Anchors ID.GV

The professional codes are the governance layer the CSF assumes but does not provide.

Slide 13 of 13

Module 02 Takeaways

Six anchors for the professional layer.

1Cybersecurity is a profession, not just a job — five sociological markers, including a body of knowledge, codes, and public-duty commitments.

2Five professional relationships: employer, client, profession, public, self. Daily-priority order is the reverse of the codes' hard-case order.

3Trust asymmetry is the structural condition that makes codes necessary. You see what they don't.

4Four codes — ASIS, ISACA, GIAC, Ethics FIRST — converge on lawful conduct, confidentiality, due care, honest representation, and public-interest service.

5Confidentiality vs. disclosure is the hardest recurring conflict. The codes embed a decision tree: internal first, document, proportional, consult.

6NSO Group / Pegasus is the reference case for code-vs-contract. The conflict was foreseeable; whether the code mattered was the choice.

Next up: CSE-03 — the NIST Cybersecurity Framework. Codes tell you what to do; the framework tells you where to do it.