Author: Paul Maurer and Ed Skouris
ISBN No: 978-1-394-27588-5
Review date: 16/12/2025
No of pages: 224
Publisher: Wiley
Publisher URL:
https://www.wiley.com/en-ie/The+Code+of+Honor%3A+Embracing+Ethics+in+Cybersecurity-p-9781394275861
Year of publication: 01/01/2024
Brief:
price
£ebook, 24.99 euros
You might imagine that a book with ethics, and cyber, in its sub-title might be a dull read. Don’t judge a book by its cover, writes Mark Rowe.
I found The Code of Honour one of the most absorbing books about security management in general, besides cyber. The authors address what they call an ‘ethical vacuum in our industry, where critical decisions are often made without regard to their ethical implications’. At the same time, as they add, ‘the weight and financial impact of our decision-making is rapidly increasing’.
At the back of the book is a single-page ‘cybersecurity code of honor’ as a ‘framework for ethical decision-making for real-world cybersecurity leaders and practitioners’. As the authors argue, cyber ought to be on a par with the fields of law, medicine, and warfare, that each have an agreed ethical code, so that each worker in cyber can navigate their path, more surely than by doing what ‘feels right’ (which, if you think about it, means leaning on whatever ethical code you have picked up as your way of interpreting the world).
As the authors begin by stating, the sheer pace of change ‘can be a breeding ground for mistakes, misused authority, and even intentionally abused power’ and ‘has left us without a clear system of ethics’.
This theme of the book, noble and yet vitally necessary for the everyday, means that such lines as ‘protecting others from the perils of bad actors on the Internet is at the core of our mission’ do not sound as corny as they might elsewhere. As the day-to-day job of cyber security ‘can feel like fighting fires’, and the cyber sector worldwide is short of people, that makes the need for candidates of a good ethical character all the greater, the authors argue. Because practitioners and leadership alike have to make the right decisions, ‘because those choices can have far-reaching impacts’. If attackers having breached your network ask for a ransom, should you ‘quietly pay to make the entire situation go away’, as (quietly) happens so often? While the book is by American authors and based on the United States, given the USA’s central place in cyber, it’s relevant; such as, the fact that a ransom was paid after the 2021 attack on the Colonial Pipeline. By paying a ransom you (the leaders that cyber people report to) are assuming that you can trust a criminal. The book has much to say about trust – such as, ‘earning trust is in large measure a product of making consistent ethical choices’.
To repeat, the book explodes any idea that cyber is dry and technical. The authors write: “Maybe the interesting tech and exciting innovation is what got you into this business – but you can’t for too long pretend that this business is all about technology. It is undeniable that cybersecurity is ultimately a human business.” Or as the authors put it still more pithily; cyber people ‘indeed stand guard on a wall of protection’.
They write: “Cybersecurity is a field that attracts smart and highly motivated professionals, but it’s no secret that it also often draws a high percentage of folks who can be more adept at dealing with programs, coding, and technical matters than dealing with people. It is also understandable that as technology and artificial intelligence quickly advance, some in this field can almost be dismissive of the real human beings.” This book is a reminder of our humanity.
The strength of the book is the many anonymised stories of dilemmas faced by people at work in cyber. For example; a security operations centre (SOC) analyst learns of a breach that the CISO hasn’t told superiors (or shareholders, or customers) about. Should the analyst speak up? Does the analyst have the full picture; maybe the CISO is responding to the breach? Whatever the analyst decides, the personal choice will affect him, the CISO and others. In fact that dilemma – of whether to tell someone what you’ve learned – recurs in chapter six. To give the gist briefly, a cyber man at an online retailer isn’t satisfied with the ‘satisfactory’ rating given by an outside auditor. What about the overlooked vulnerabilities? The leaders of the business decide to forge ahead with new services regardless. Is that putting consumers at risk? Should the cyber man shut up; and what if he doesn’t, will he be told to shut up? Should he send an (anonymous) email to the media?
While this book seeks to make cyber people face the real-world consequences of their work, it’s striking that that the book doesn’t try to pretend that cyber people are the tops. Just because they wrote some code, if it was in company time, it’s the intellectual property of the employer; you ought not to upload a copy to the cloud for your own use (and profit?) any more than you would take the office chair and desk with you. The authors acknowledge that opinions differ. Some in the cyber community see Julian Assange of Wikileaks as a hero; others as a villain. The authors state ‘a clearly defined ethic of not taking what is not ours’. Putting it yet more plainly, ‘do not steal’ – not data, any more than the company’s money on a corporate credit card.
The book (and the code of honour) close with privacy. As the book says, the reality is that small invasions of privacy are a constant issue in the greater tech industry (not just cybersecurity). And it takes only one impulsive decision to violate someone else’s right to privacy.
The authors tell the story of a cyber guy who was getting bored at work and decided to investigate the chief executive officer’s (CEO’s) email. “He had picked up the password one day when he was troubleshooting the CEO’s desktop in the corner office at the top of the facility with the windows looking over the small town. It was a small choice to snoop around.” The cyber guy ‘did it because he could and because he knew he shouldn’t. But that small step soon escalated to snooping through other accounts to compare his salary to other co-workers and to investigate who was getting a raise’. He didn’t realise how much he had stepped over the line as a young employee until much later in his career, when he became a CISO.
The book ends, then, with a plea to treat others as you would want to be treated. “The invasion of privacy is so commonplace that we are becoming desensitised to the violation of a basic human right. There is never an excuse for a cybersecurity professional to take part in such activities or even be complicit.”
