Defining Cybersecurity Leadership: The PAC Code of Professional Conduct
Heather Hinton
Result-Oriented CISO | Building Trust at Scale
Introducing the PAC Code of Professional Conduct
The Professional Association of CISOs (“PAC”), while in stealth mode for some time, officially launched in October 2024. Introduced with the association itself was our Code of Professional Conduct (the “Code”). Why is it so important that we have a Code of Professional Conduct? Our Code defines the principles and standards of behavior expected for all members and helps ensure personal and professional accountability from the PAC’s members, from the day they join, onwards.
The PAC Code of Professional Conduct is anchored in core principles that support the mission of every cybersecurity professional in the performance of their duties to the best of their ability. Abiding by the Code helps establish and reinforce the superhero cape that we wear every day as cybersecurity professionals.
Why do we need a Code of Professional Conduct ?
As the cybersecurity landscape continues to grow in complexity, and the potential impact of cybersecurity incidents increases, organizations increasingly depend on the effectiveness of their cybersecurity posture and defenses. This has introduced competing priorities for the CISO, who must understand, articulate, manage and measure cybersecurity risks and compensating controls in a business-appropriate and cost-effective manner in an ever-changing cybersecurity threat landscape.
Publication of the Code and the core Principles and expectations of behavior provides transparency to our organizations, stakeholders, and the public. At the same time, the Code provides CISOs and PAC members with clear guidelines for behavior that does, and does not, align with our professional obligations. By following the Code’s Principles and Canons (from the Greek word kanon, which means “rule”), an individual will develop and maintain honesty, integrity and transparent behavior that supports the overall cybersecurity profession and the goals of organizational, national and global cybersecurity defense.
Key Principles in Action
The Code is anchored against six core Principles which inform our overall professional expectations and standards of behavior.
Professional Integrity
Individuals demonstrate professional integrity when they balance their personal values and interests with their professional responsibilities, take responsibility for their actions and are accountable for the outcomes of actions made in the best interest of their organizations and stakeholders. The Code emphasizes that cybersecurity professionals act with integrity at all times.
Standards of Practice
Standards of practice guide how we meet our obligations as cybersecurity leaders. The Code emphasizes that cybersecurity professionals must have the skills to fulfill their roles, that their obligations include the clear identification of risks and the adequacy of the controls in place to protect against threats, and the participation in the collective defense the protection of the broader community.
The Code emphasizes that the cybersecurity professional’s expertise is achieved through a combination of experience, education, and continued learning and development. The Code emphasizes that the cybersecurity leader is expected to disclose cybersecurity risks and the adequacy of the controls in place to mitigate those risks in a way that the audience will understand. The Code further emphasizes that protection of the leader’s organization includes participation in the collective defense of the broader community.
Confidentiality
The Code emphasizes that members must not disclose non-public information without explicit authorization.
Clarity in Communications
As cybersecurity professionals, what we say, when and how we say something matters. The Code emphasizes the importance of messaging that is clear and appropriate to the circumstances and the intended audience. The Code further emphasizes that communications are based on objective evidence and facts and does not include speculation.
Managing Competing Interests
Competing Interests include both conflicts of interest and situations of undue influence that may result from relationships with friends, family, vendors, and other third parties. If not handled properly, these may erode the trust and confidence in the individual. The Code emphasizes the need for transparency in our relationships and activities as a measure of our honesty and integrity.
Why Join the PAC ?
By joining PAC, cybersecurity leaders commit to upholding the principles outlined in the Code of Professional Conduct. Membership offers:
- Accreditation as a Trusted Leader: Align yourself with clearly defined and enforced ethical and professional standards.
- Support for Ethical Decision-Making: Gain access to resources and a community that helps navigate the challenges of cybersecurity leadership.
- A Platform to Shape the Profession: Contribute to the ongoing development of cybersecurity standards and best practices.
A Commitment to Excellence
The PAC Code of Professional Conduct is a declaration of values — integrity, transparency, and accountability — that ensure the cybersecurity profession continues to grow in stature and trust.
If you’re ready to take your place among the leaders shaping the future of cybersecurity, join the Professional Association of CISOs. Together, we can uphold the principles that are the cornerstone of our value as cybersecurity professionals.
Learn more about the Code of Professional Conduct and PAC membership at https://theciso.org/code-of-professional-conduct/.