Thanks to David B Cross, Stephen Dufour, and Steve Zalewski for a great webinar discussion on the Professional Association of CISO’s Code of Professional Conduct . Before the webinar, if you had asked me what would have been the “hot topic” of the webinar, I would have put a fiver on it being the Conflict-of-Interest section. Instead, we had a lively and engaging conversation talking about ethical behavior, acting with integrity, and how the Principles of the Code help us to navigate the day-to-day realities of life as a CISO. I was (pleasantly) surprised by how many of the participants weighed in on the importance of the Code and how it helps us, as CISOs, be better business partners. 

Thanks to Steve Zalewski, our fearless moderator, for the unscripted, curve ball question of: How does the Code help us deal with difficult questions, such as one posed by a Board member who asks, “Are we, as an organization, safe?” The lively discussion that followed by the panelists and participants tells me that while many of us still struggle with the “right response” in this situation, the Code can help. Reframing the question to include the current context and risk posture, relying on the Code’s Standards of Practice, Communication and Professional Integrity principles resonated with me. The lively discussion that followed briefly covered the happy path and then moved to focus on the situations with no happy path.  

How we answer in a responsible manner that conveys the message of “We are managing within the organization’s stated risk tolerance” is never easy. The insights included discussions of why we deviate from the happy path, the impact of “not great” relationships with the Board, fundamental differences or inconsistent application of the organization’s stated risk tolerance and the impact of cybersecurity risks that are not effectively controlled, capped off by sobering reality and recognition that whatever we say today may well not be true tomorrow.  Managing an organization’s risks and communicating those in a business appropriate manner is critical to our success as business leaders and is supported by our adherence to the Code. 

If you want to replay the video, you can find it here 

Want to learn more about the Code? Follow this link to see our initial Blog from when we released the Code.