Do ethics get in the way of security professionals?

While it’s convenient to think that the information security industry is made up of highly ethical individuals who make the right decision every time, a stressful situation can turn things around faster than you can say black hat.

A sharp increase in data breaches and a plethora of successful cyber attacks have elevated the importance of information security within an organization to the point of making it a boardroom issue.

At this year’s RSA Conference in San Francisco, AlienVault conducted a study that garnered 1107 responses from attendees, and these were the key findings:

  • 20% of respondents have witnessed a company hide or cover up a breach.
  • Security breaches are used as leverage to increase security budgets.
  • Over half of security professionals utilize hacker forums or associate with black hats to keep abreast of the latest threats and technologies.
  • Most believe the CISO should be ultimately accountable for a breach.

“Information security is a young profession that has been thrust into the forefront of the political, business and media spotlight. As such security professionals can come under a great deal of pressure from many angles which can result in them cutting corner to get the job done,” Javvad Malik, Security Advocate at AlienVault, commented for Help Net Security.

Whether an organization has or doesn’t have an effective incident response plan, when a breach occurs a drama plays out behind the scenes. Someone needs to take the blame, because let’s face it, ultimately it’s all about appearances.

If we look at the stats, AlienVault found that the majority (38.8%) puts the blame on the CISO, but a thought-provoking 23.9% believe the CEO should take the fall.


10.2% believe auditors should be blamed, which brings us to one of information security’s favorite mantras: “Being compliant does not equal being secure”.

If you’ve walked the halls of an infosec show in the past few years, you’ve been bombarded by promotional materials telling you you can’t prevent a breach, and that it’s just a matter of time before you are breached. To that end, a whopping 66.8% of respondents would use such an event to convince the board they need a bigger security budget. While that sounds logical since it’s difficult to explain security ROI to a boardroom not familiar with IT issues, an interesting 9% would just keep it quiet and not disclose any details of a breach.

Raj Samani, VP and CTO EMEA at Intel Security, finds the survey findings, particularly the outliers, rather shocking. “However, we have to remember that the majority of respondents demonstrate integrity in their professional life, which for an industry that cites integrity as a key tenet is encouraging.”


Only 58% of respondents were confident that a company they had worked for had never covered up a breach. 22.9% said they were not sure and 20.5% claimed that they had been part of or witnessed a cover-up.

“It is rather surprising to see that the fall guy for security breaches is still seen as the CISO even amongst security professionals. Perhaps more remarkable is that 1 in 5 respondents have witnessed a company hide or cover up a breach. Such actions are disappointing but demonstrate the perceived impact a security incident can have,” Samani added.