This page contains a Flash digital edition of a book.

OPINION Taking the Ethical High Road

consultants) to be involved in bribery, but they must now also take steps to prevent it. This means that organizations need to be absolutely clear on what constitutes a bribe and ensure that all their employees and associates stay away from anything that could potentially be compromising or count as a confl ict of interest.

Marcus Ranum L

ike many other sectors, success in IT security largely comes down to the strength of a company’s relationships. If managed correctly, having close contact with customers and suppliers can ensure effective delivery, strong organic growth, and reduced customer churn.

Here the ‘soft’ skills of networking come into play, with many companies offering favors to help oil the relationships that are so important to them. Such favors can range from taking a client out for a few drinks, all the way up to paying for work ‘jollies’ in far fl ung and exotic destinations.

From my experience in the security industry, the practice of accepting ‘favors’ is quite common. It can be a subtle dinner here or there, or a loan of some hardware that never gets returned. When a reseller is told by a vendor they can hold on to some equipment indefi nitely, does that constitute a bribe? I think that if the question needs to be asked it is, if not technically illegal, then most probably unethical. By accepting a gift, there is a tacit agreement that the favor will be in some way reciprocal – if it is not reciprocal, then why would a gift be offered in the fi rst place?

One incident I witnessed throws this fact into a stark light. A sales representative at a certain vendor took a customer decision- maker out for drinks and entertainment at a club, paying for the whole night. While no formal disciplinary action

While few can claim that there is anything corrupt about attending a party thrown by a supplier, for example, there is something of a gray area over where hospitality ends and bribery begins

While few can claim that there is anything corrupt about attending a party thrown by a supplier, for example, there is something of a gray area over where hospitality ends and bribery begins. Yet this is an increasingly important area in which to gain clarity. From July 2010, with the introduction of the Bribery Act in the UK, it not only became illegal for employees or associates (including external

took place, when word of the night got around the reputation of both parties was compromised, and it had a lasting impact on both of their careers. Regardless of whether there was an overt intent to bribe the customer, by taking him out for free drinks and entertainment, a tacit quid-pro- quo agreement had been made. Incidents of overt bribery are relatively rare. A much more persistent problem

within the security industry is a failure by some professionals to completely disclose their interests. A few years ago I was involved in an incident where an IT manager was contracting a start-up that had been founded by some of his friends. While that was bad enough, it subsequently transpired that he was on the board of directors for the start-up.

This is an extreme case, but it does make the point well: make sure you are absolutely clear about whose interests you are representing at all times. If you accept a gift or favor and then have to disclose it a year later, it will look a lot worse than if you declare an interest immediately and then decline the gift.

My advice to security professionals is quite simple: always know who you are representing and, if you’re ever trying to represent a combination of interests, make sure all the people in that transaction understand this. If you are representing interests other than your employer’s, then clearly you should ask yourself whether this is appropriate, and then ask for your employer’s view on the matter. The easiest thing, however, is to keep your various lives separate if there is any sort of overlap – or perceived overlap – with your professional life. As a rule of thumb, if you think you need to ask permission from your CEO or HR to pursue some sort of fi nancially advantageous activity, then it is probably safer not to do it at all. The old saying ‘it’s better to ask forgiveness than permission’ really does not apply in this case.


Marcus J. Ranum, chief security officer at Tenable Network Security, is a world- renowned expert on security system design and implementation. At Tenable, he is responsible for research in logging tools, instrumental in product training and product/best practice evangelism. /// 45

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52