Like many other sectors, success in IT security largely comes down to the strength of a company’s relationships. If managed correctly, having close contact with customers and suppliers can ensure effective delivery, strong organic growth and reduced customer churn.
Here the ‘soft’ skills of networking come into play, with many companies offering favors to help oil the relationships that are so important to them. Such favors can range from taking a client out for a few drinks, all the way up to paying for work ‘jollies’ in far flung and exotic destinations.
While few can claim that there is anything corrupt about, for example, attending a party thrown by a supplier, there is a something of a gray area over where hospitality ends and bribery begins. Yet this is an increasingly important area in which to gain clarity. From July 2010, with the introduction of the Bribery Act in the UK, it not only became illegal for employees or associates (including external consultants) to be involved in bribery, but they now also must take steps to prevent it. This means that organizations need to be absolutely clear on what constitutes a bribe and ensure that all their employees and associates stay away from anything that could potentially be compromising or count as a conflict of interest.
From my experience in the security industry, the practice of accepting ‘favors’ is quite common. It can be a subtle dinner here or there, or a loan of some hardware that never gets returned. When a reseller is told by a vendor they can hold on to some equipment indefinitely, does that constitute a bribe? I think that if the question needs to be asked it is, if not technically illegal, then most probably unethical. By accepting a gift, there is a tacit agreement that the favor will be in some way reciprocal – if it is not reciprocal, then why would a gift be offered in the first place?
One incident I witnessed throws this fact into a stark light. A sales representative at a certain vendor took a customer decision-maker out for drinks and entertainment at a club, paying for the whole night. While no formal disciplinary action took place, when word of the night got around the reputation of both parties was compromised, and it had a lasting impact on both of their careers. The fact of the matter was that regardless of whether there was an overt intent to bribe the customer, by taking him out for free drinks and entertainment, a tacit quid-pro-quo agreement had been made.
Incidents of overt bribery are relatively rare. A much more persistent problem within the security industry is a failure by some professionals to completely disclose their interests. A few years ago I was involved in an incident where an IT manager was contracting to a start-up that had been founded by some friends of his. While that was bad enough, it subsequently transpired that he was on the board of directors for the start up. This is an extreme case, but it does make the point well: make sure you are absolutely clear about whose interests you are representing at all times. If you accept a gift or favour and then have to disclose it a year later, it will look a lot worse than if you declare an interest immediately and then decline the gift.
My advice to security professionals is quite simple: always know who you are representing and, if you're ever trying to represent a combination of interests, make sure all the people in that transaction understand this. If you are representing interests other than your employer’s, then clearly you should ask yourself whether this is appropriate, and then ask your employer’s view on the matter. The easiest thing, however, is to keep your various lives separate if there is any sort of overlap – or perceived overlap – with your professional life.
As a rule of thumb, if you think you need to ask permission from your CEO or HR to pursue some sort of financially advantageous activity, then it is probably safer not to do it at all. The old saying "it's better to ask forgiveness than permission" really does not apply in this case.
Marcus J. Ranum is a world-renowned expert on security system design and implementation. Ranum is a pioneer in security technology who was one of the early innovators in firewall, VPN and intrusion detection systems. Since the late 1980s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Ranum has been chief security officer since joining Tenable Network Security in 2004. At Tenable, he is responsible for research in logging tools, instrumental in product training and product/best practice evangelism.