“Ethics is knowing the difference between what you have a right to do and what is right to do.“
-Justice Potter Stewart
You know what I like most about standards, the fact that there are so many to choose from. You have IEEE standards, accounting standards, breed standards in animal husbandry (think pit bulls and Arabian horses), there are de-facto standards like the QWERTY keyboard and MP3 file format. You probably have standards at home for dealing with children or the process for brushing your teeth (I’m an up down, front to back guy). We literally have a cornucopia of standards from which to choose, so much so that the whole notion of a “standard” can start to become a bit fuzzy. Eventually the line between right and wrong becomes blurred, and that blurred line becomes a contributing factor in ethics violations.
I believe this was the case with Pennsylvania’s former CISO (Chief Information Security Officer), Robert Maley, and cyber security vendors, such as Guidance Software, Core Security and McAfee. Maley was recently fined $10,000 for having vendors pay for his travel, meals and lodging to industry events at which he presented, as well as accepting the very generous gift of World Series playoff tickets. The ethics panel investigating the incident valued Guidance Software’s associated deal at more than $1.3M.
It would actually be inappropriate to comment on this without first acknowledging that virtually all software vendors build relationships with key decision makers by engaging with them socially. It is not uncommon for a vendor to give token contributions to clients to thank them for interest in their products, but this should only be done if the client’s policies allow for such exchanges and should certainly be done in a transparent manner. It’s not a good relationship-builder to enable a client to commit an ethics violation.
What is particularly concerning in this context is seeing publically owned organizations, engaging in behavior that raises ethical and appropriate business practice questions. With the scandals of Enron, WorldCom and Bear Stearns in the rear view mirror one would assume the boards of public companies have instituted very clear rules and policies prohibiting even the hint of impropriety. I can’t argue that rules and policies alone make for proper ethical behavior, but they certainly promote a culture that understands what behavior is considered “above board”. When companies facilitate ethical violations it not only stains their brand and introduces questions for potential clients, it promotes the image of unchecked corporate greed and serves to discredit those of us who do play by the rules.
Take, for example, Core Security’s payment of Maly’s expenses for attendance at several industry conferences. Software vendors selling high-end solutions all seek out client evangelists for their products and benefit a great deal by having their clients present educational material on subjects that are relevant to the solutions the vendors are selling. This is a win-win-win situation for the existing client, potential client and vendor because the existing client gets to augment his or her CV and interact with others who have similar interests and expertise. In turn, the vendor is able to provide valuable content and experience to its potential clients and prospects. True product evangelists generally desire to present at conferences because doing so builds their knowledge base and exposes them to what’s new. However, they and their employer(s) are not always willing or able to spend thousands of dollars to travel around the country presenting whenever their trusted vendor invites them… and there is the rub… If we all play by the rules these tensions balance out equally, with everyone taking their wins and losses based on a mix of merit and circumstances. However, if a few parties start evading the rules, the balance is upset and – as was seen in this situation, pretty much everyone loses.
Furthermore, (and from a more personal perspective) it can be exhausting for marketing teams to find clients willing and/or able to present on behalf of an organization’s solutions (especially to cyber security problems). It becomes even more difficult when many of the most compelling use cases are in the public sector since public sector employees, like former Pennsylvania State CISO Robert Maley, are almost always held to exacting standards of conduct by their employing agencies. It can become downright dubious when you factor in limited state and federal budgets as well as the sensitivity omnipresent on security topics. This is unfortunate for clients and vendors alike, because the cyber security, e-discovery and digital investigations industries are still maturing and rely heavily on peer to peer education and sharing “tales from the trenches”. Clients can share lessons learned that are immensely beneficial to others using the same technology. That said, for some individuals these noble intentions can corrode when money and gifts are proffered to facilitate an exchange.
Clearly, accountability ultimately rests with the client who, after all, has the power to decide whether or not to accept the gift or reimbursement. However, organizations with proper business integrity should absolutely make an effort to understand their clients’ respective employer policies and limit exchanges that would put clients in an uncomfortable position or result in an ethics investigation. As much as I’d like to throw money and gifts around to upsell our accounts and entice loyal customers to publicly endorse our wares, it appears we have drawn a much clearer line between what is appropriate and what is not (and it seems possibly lost a sale or two in the process).
There is little doubt that Mr. Maley had noble intentions and simply desired to share his broad knowledge and experience with his peers. Even the baseball tickets must have seemed benign, since his organization was already a long time client of McAfee’s. Playoff baseball tickets certainly beat the usual holiday eCard or muffin basket! The lesson for consumers of high end cyber security and e-discovery solutions and really for anyone on the buying end of a business sales relationship, is not to allow yourself to be put in a position of having your professional ethics questioned. You should feel insulted if your vendor assumes you’re willing to “pay to play”. While public speaking opportunities are valuable, they are not always affordable. So when you’re invited by a vendor to speak, just take these simple steps:
If —after your efforts to establish “rules of engagement” and transparency—your employer doesn’t clear you to attend the event, kindly refuse the offer. Equally important, you should pause and examine the motivation of software vendor’s offerings, donations and gifts. If there isn’t mutual commercial benefit in the exchange it’s probably poor judgment to accept the offer. Finally, as we’ve learned from the Maley incident, using your vacation time does not give you immunity against proper ethical behavior.
And for vendors considering greasing the wheels of commerce by helping public servants commit ethics infractions, please think again. This type of behavior only reflects badly on you, the whole industry, and the rest of us who are trying to play by the rules.