What Security Executives Should Know about Ethics

A Q&A with Keith Darcy, Executive Director of the Ethics and Compliance Officer Association


Why do security executives need to know about ethics? Unethical behavior within companies can threaten the security of the organization. And security executives are also called upon to conduct sensitive investigations that require rigorous attention to ethical issues, as the recent boardroom scandal at Hewlett-Packard has graphically illustrated. We spoke recently with Keith Darcy, Executive Director of the Ethics and Compliance Officer Association, who teaches in the Wharton/ASIS Security Executive Program, about why ethics is of value to security executives and what they need to know.

Why is an understanding of ethics important for security executives?

Five years ago, the scandals at Enron, Tyco, Rite-Aid, ImClone, Arthur Andersen, and WorldCom set the stage for the passage of the Sarbanes-Oxley Act in July 2002. As a result, the risks to all organizations have grown dramatically. This is clearly reflected in prosecutor activism across all industries, including Wall Street, mutual funds, pharmaceuticals, insurance companies, and the accounting profession, to name a few. As risk managers, security professionals need to understand these risks and the environment in which business is operating. In addition, more current issues, such as privacy, domestic spying, boardroom leaks and investigatory pre-texting, have the attention of the Congress and the Department of Justice. The H-P scandal seems to be the current lightning rod for all these issues.

The profile of security executives has been raised dramatically. They are responsible for physical property, personal safety, and physical assets. They are risk managers so they understand that they need to be concerned about reputational risks as well.

Do you think the major scandals are behind us?

Hopefully the accounting scandals are behind us. But we are going to continue to see what we believe to be "business as usual" challenged. There is great anger from employees, customers, and investors. And they can be very punishing in their response.

What does the HP case tell us about the challenges facing security executives?

It touches on several key issues. First, here is a company that talks about privacy and data security for its customers embroiled in this issue at the heart of its business. Second, the type of investigation undertaken in this case, pre-texting (engaging in a false identity to gain information) has emerged as a very significant issue. The whole nature of corporate espionage raises all sorts of ethical issues for security professionals. I wouldn't be surprised if, as an outcome, many larger organizations may establish protocols for this with serious ramifications.

As ethics and compliance officers, many of our members engage in the investigation of calls placed to help lines, where charges of wrong doing are being made against people in their own organization. It is a difficult place to be-but there are a whole series of procedures our members are trained in when investigating these calls

How have recent changes in the business environment affected the ethical demands on security executives?

First, the velocity of change is unprecedented, and change is an unwelcome stranger. With change comes stress. Second, increased global competition brings challenges and new demands on executives to "meet the numbers." Third, in an age of information, fiberoptics and satellites have moved us into a worldwide information network. We can now communicate anything to anyone, anywhere and by any form - voice, data, text, image-at the speed of light. The communications "float" has been eliminated. Protecting intellectual property, confidential information, and corporate assets becomes more challenging. Fourth, we are told to produce things, faster, cheaper and better, which sometimes breeds shortcuts. This raises time-to-market issues that may compromise product and workplace safety.

How does an environment of greater transparency affect the work of security executives?

This content continues onto the next page...