Integrity begins within: Security pros lead by example

Computerworld - I recently learned that an acquaintance of mine did something dishonest in the name of information security, apparently in order to preserve or advance his own career. Stu (not his real name) acquired his former employer's complete disaster recovery plan in electronic form. At his new place of employment, Stu took that document and changed the headers and footers and some other details and then presented it as his own work.
Later, executives from Stu's current and former employers attended a business meeting. The purpose of the meeting, as I understand it, was a discussion on disaster recovery, kind of a "show me yours and I'll show you mine" exchange. (Stu's current and former employers are in the same industry.) The executives from the two companies were shocked when they discovered that their disaster recovery plans were virtually identical. The disaster recovery director at Stu's former employer recognized the other company's plan as his own.
Hearing this story reminded me of a critical fact: In business and information security -- and closely related disciplines such as business continuity and disaster recovery planning -- we lead by example.
In my columns, I usually speak to "you" in the second person. But on this topic, I will speak to "we" in the first-person plural. I want to make sure that you understand that what I'm saying applies not only to you, but also to me.
Do as we say, and as we do
In information security, we strive to improve the integrity, reliability and control of information systems, business processes and the people in the organization. Through policy and security awareness, we want the people we work with to act with good judgment and integrity.
Some of us are responsible for creating and enforcing security policies that apply to everyone in the organization. Whether we like it or not, we are role models. If, by our behavior, we are strict about conforming to security policy, then those who observe us are more likely to do the same. If, on the other hand, we act as though we're above the law, especially our own law, how can we expect others to be serious about conforming to it?
Truth in, truth out
Here's a simple and reliable definition:
Truth: factual representation of things that are; factual representation of events.
This has everything to do with information security. We expect applications to record, calculate, store and report events and information accurately. Truth in, truth out. We expect these events to be verifiable via audit logs