Why do security executives need to know about ethics? Unethical behavior within companies can threaten the security of the organization. And security executives are also called upon to conduct sensitive investigations that require rigorous attention to ethical issues, as the recent boardroom scandal at Hewlett-Packard has graphically illustrated. We spoke recently with Keith Darcy, Executive Director of the Ethics and Compliance Officer Association, who teaches in the Wharton/ASIS Security Executive Program, about why ethics is of value to security executives and what they need to know.
Why is an understanding of ethics important for security executives?
Five years ago, the scandals at Enron, Tyco, Rite-Aid, ImClone, Arthur Andersen, and WorldCom set the stage for the passage of the Sarbanes-Oxley Act in July 2002. As a result, the risks to all organizations have grown dramatically. This is clearly reflected in prosecutor activism across all industries, including Wall Street, mutual funds, pharmaceuticals, insurance companies, and the accounting profession, to name a few. As risk managers, security professionals need to understand these risks and the environment in which business is operating. In addition, more current issues, such as privacy, domestic spying, boardroom leaks and investigatory pre-texting, have the attention of the Congress and the Department of Justice. The H-P scandal seems to be the current lightning rod for all these issues.
The profile of security executives has been raised dramatically. They are responsible for physical property, personal safety, and physical assets. They are risk managers so they understand that they need to be concerned about reputational risks as well.
Do you think the major scandals are behind us?
Hopefully the accounting scandals are behind us. But we are going to continue to see what we believe to be "business as usual" challenged. There is great anger from employees, customers, and investors. And they can be very punishing in their response.
What does the HP case tell us about the challenges facing security executives?
It touches on several key issues. First, here is a company that talks about privacy and data security for its customers embroiled in this issue at the heart of its business. Second, the type of investigation undertaken in this case, pre-texting (engaging in a false identity to gain information) has emerged as a very significant issue. The whole nature of corporate espionage raises all sorts of ethical issues for security professionals. I wouldn't be surprised if, as an outcome, many larger organizations may establish protocols for this with serious ramifications.
As ethics and compliance officers, many of our members engage in the investigation of calls placed to help lines, where charges of wrong doing are being made against people in their own organization. It is a difficult place to be-but there are a whole series of procedures our members are trained in when investigating these calls
How have recent changes in the business environment affected the ethical demands on security executives?
First, the velocity of change is unprecedented, and change is an unwelcome stranger. With change comes stress. Second, increased global competition brings challenges and new demands on executives to "meet the numbers." Third, in an age of information, fiberoptics and satellites have moved us into a worldwide information network. We can now communicate anything to anyone, anywhere and by any form - voice, data, text, image-at the speed of light. The communications "float" has been eliminated. Protecting intellectual property, confidential information, and corporate assets becomes more challenging. Fourth, we are told to produce things, faster, cheaper and better, which sometimes breeds shortcuts. This raises time-to-market issues that may compromise product and workplace safety.
How does an environment of greater transparency affect the work of security executives?
There are no secrets and no place to hide. Everyone can talk to anyone instantaneously, inside or outside the organization, and that raises profound risks. The flipside, however, is that the prosecutor's best friend is email. For those who think they can hit the delete button and it will disappear, they will find that that information can and will be found in the process of discovery.
What are some of the current ethical challenges security executives might face?
We have seen a number of new challenges emerge for security professionals:
Workplace violence - Given new levels of stress, an increasing number of employees have reported incidents of violence.
Physical safety - BP's loss of life in their Texas refinery, Con-Ed's problems with "live wires" and "hot spots," and the e-coli spinach crisis are just a few examples increasing concerns about employee, citizen, and customer safety.
Employee screening - Since 9-11, employee screening and background checks have taken on new meaning.
Employee negligence or abuse of data, including corporate, client, and employee information - The loss of laptops from government employees this year alone exceeds 1,100, containing enormous amounts of confidential data.
Doing business abroad - The payment of bribes, or other fees, remains an issue long after the passage of the Foreign Corrupt Practices Act. Continued diligence is essential.
What are some of the most important things for security executives to know about ethics?
The scandals of the past few years have created a profound loss of trust. Investors, employees, and customers have felt betrayed by the culture of greed that has emerged. To address these issues, we have seen a wave of new laws and regulations.
Compliance with laws and regulations is an essential element of doing business. Mere compliance, however, may not be sufficient. Compliance is about acquiescing to authority. Ethics, ultimately, is about choice. We express our choices through our actions, as well as our in-actions. That is to say, it's not just what we do that matters; it's also what we don't do that counts. Because when we see something that's wrong, and don't do something, we have "chosen" not to do it.
Further, compliance programs risk becoming a "check-the-box" approach, which minimizes the process. In order to effectively establish the appropriate standards for conducting business, organizations must focus on embedding a system of values among their employees. In fact, as of November 1, 2004, the law now requires that, in addition to compliance, organizations must have ethics standards and a corporate culture that embraces them.
With increasing laws and regulations, organizations must promote self-regulation. Clearly, in the absence of self-regulation, there can be only one other alternative-more regulation. Ultimately, organizations must fortify their culture on a foundation of values and ethics. In the end, history shows that culture trumps compliance.
What are the most valuable tools and approaches for considering ethical issues?
First, while it may seem like an oversimplification, when making important decisions, we need to ask ourselves, "how will this decision look if it appears in The New York Times?" Second, every organization is required to have a Code of Conduct. Security professionals should consult it when facing difficult decisions. It is a resource. Third, most codes provide information regarding a confidential Helpline. Don't be afraid to use it. It's there for a reason.