While most I.T. jobs and roles only require technical skills, and to an extent people skills, Security professionals are expected to have a high level of personal ethics as well.
As keepers of Security, InfoSec professionals have access to confidential and sensitive data. Some of these could be-
- access to email accounts and all emails of all employees
- access to Internet traffic details of each employee
- access to camera footage of employee movements
- access to documents containing PII
- access to documents, pictures, files on the computers and laptops of employees
- access to knowledge of policy violation history
Each piece of the above information, if made public, can cause severe losses and serious negative repercussions from both an organizational perspective and an individual employee perspective.
Security professionals dealing with such data would be expected to sign a Non-disclosure Agreement. Additionally, they should have a strongly developed code of ethics, that ties in with the Saint Leo University’s core value of Personal Development.
They should be morally upright individuals who realize that the access they have is ONLY for enabling them to perform a job function and not abuse their right of access to satisfy personal curiosity, propagate gossip, or for personal agenda or profit.
While it is possible to put in policy and technical controls to prevent such misuse of access (eg. internal audits, logging of all access processes, separation of duties etc.), it is still optimal to have security professionals who are ethical and have integrity.