Chapter 16
Ethics in Security
Consulting
James H. Clark
In this chapter...
Introduction
Ethics in Practice
Walk-Away Value
Advocate versus Educator
Rules to Live By
Forensic Consulting/Easy Conflicts
Introduction
The all-time best eulogy this author ever heard was in honor of a former
boss who was described as a man who always did the right thing, even when
no one was looking. What a fine tribute to a good man. What a great way to
be remembered.
This author used to believe that one could apply instincts to his or her con-
sulting practice and generally be okay when it came to the issue of professional
ethics. After all, parents, teachers, and other caregivers taught us such value
considerations. This thinking works well for those who were brought up by
parents who not only preached, but lived the golden rule—teachers, caregivers,
and others who lived exemplary lives and demonstrated the right way to inter-
act with others. Unfortunately, not everyone grew up that way or was exposed
to the same value system. Nor were they taught the value of fair play in a world
that isnt always fair. And, of course, not everyone plays well with others even
under the best of circumstances.
In many instances, people simply don’t have someone to demonstrate ethical
values for them. In other instances, going along to get along is seen as the only
way to survive in a corrupt environment. Moreover, there are those who have
305
learned to overlook their values in the name of personal or financial advance-
ment in a highly competitive business world. So, while it is good to trust one’s
instincts, there is more to consider.
How does one deal with people in a world where there are competing values
and different understandings of moral codes? This chapter does not offer all
the answers. What it does offer is some food for thought as the twenty-first
century security consultant plies his skills ethically in a world minefield of cor-
ruption, greed, “me-first thinking, and ignorance. It must be recognized that
there are also many corporate, institutional, and government people out there
who are looking for an ethical security consultant to help them get past all of
that. Your response to ethical dilemmas can help create an environment where
ethical behavior is expected, if not required, and where the consultant sets the
ethics bar at an appropriately high level.
The title security consultant is not the sole property of the independent
practitioner. It is a term shared with vendor salespeople, security company
operations managers, and others. Rather than get upset with that notion, it is
better to focus on the differences: independence and objectivity.
A well-known security consultant set out to start his own practice. The con-
sultant was looking for a catchy name that would generate interest and iden-
tify him as a viable “brand” in the security consulting marketplace. His father,
a successful salesman and long-time entrepreneur, offered some simple advice.
First, people who seek out consultants don’t seek to buy a name; they seek to
establish a relationship based on trust that will serve them and their company.
Second, if the consultant uses his own name, he will always work to protect its
integrity. The consultant took that advice and soon understood the message.
The people who retained him early on were people who knew him and his rep-
utation from previous work. As time went on, those client relationships turned
into referrals and more trusted relationships.
Putting ones own name on the cover of a report heightens awareness about
the advice offered because people well beyond one’s control read the report.
When reflecting on that, the consultant realizes that his name is on the line
every time, all the time.
Over the years, this consultant has had the opportunity to work with other
consultants. Most were highly ethical; some were not so ethical. Some consult-
ants have been known to change their reports to such an extent that they don’t
honestly reflect the findings of their work product. Sometimes clients ask for
things that no professional consultant in her right mind would ever put in
writing. There are vendors who unabashedly offer favors to a consultant to get
their product bid, specified, or approved. These are some of the challenges that
the professional security consultant faces. How does one address these types of
challenges that establish the consultants value system?
How do you handle the client that wants you to do something you think is
inappropriate?
306 Strategic Security Management

Get Strategic Security Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.