Let\u2019s begin with a perspective from an anonymous hacker:\u00a0\u201cThe front lines of Net \u2013 that\u2019s where most of us spend our time. Life gets crazy out there, a virtual wild, wild, west. Almost anything goes in cyberspace. I liken our online world to another American gold rush - the new frontier. It\u2019s true that history seems to repeat itself. We boldly go where others are afraid or ill-equipped to go. We\u2019re the white knights. The few, the proud, the ones willing to stick our necks out and get our virtual hands dirty. Or, if you prefer, we\u2019re living in 1930\u2019s Chicago all over again - with mob rule. There\u2019s minimal policing going on, and people often take matters into their own hands. It seems like an impossible task, but when the going gets tough \u2013 you\u2019ll find out what you\u2019re made of. We do what we do to survive in this dog eat dog digital world. We didn\u2019t create this situation. I\u2019m not happy that I was dealt this hand, but I\u2019m making the most of it. It is what it is. Somebody needs to protect the homestead, right? Truth be told, things are getting worse.Cyber ethics? Hello! Most hackers I know think those two words are an oxymoron. Rules are for kids, or other people we need to keep in a box. What? Policies? Are you kidding me? Those rules don\u2019t apply to us. Sure, pros understand that children need to be protected, child porn is wrong and yada, yada, yada, but beyond that\u2026 I don\u2019t have time for lectures. But let me tell you something, we\u2019re dealing with experts, hardened criminals. We fight fire with fire baby.Look, this is the big leagues. Not some single-A farm team out in the bushes. We\u2019re not in some global game of Halo. We\u2019ve got real work to do. The bad guys are getting dangerous \u2013 real dangerous. They don\u2019t understand our civil, respectful way of life. They just keep hitting us hard. Sure, it\u2019s tough. I\u2019m tired. There are no time outs. We get a little sleep, when we can, but then we\u2019re right back on it. We have to be right every time. Cyberspace never sleeps. This is war baby. Cyber war - \u00a0All is fair in love and war.\u201d\u00a0\u00a0 We\u2019re moving on to problem #5 for hackers \u2013 I mean security pros. Many security professionals call themselves hackers \u2013 in the best sense of the word. No, I\u2019m not talking about malicious hackers, black hat hackers or crackers \u00a0(the bad guys), although I\u2019ve never know anyone to call themselves a cracker.But security professionals often identify each other as \u201chackers.\u201d It\u2019s a bit like walking around a football locker room. All the football coaches call each other coach. \u00a0Or like the classic scene from the movie Spies Likes Us, with Chevy Chase and Bob Hope, where everyone calls each other doctor.\u00a0\u00a0 Take for example, our respected colleague Johnny Long, who leads Hackers for Charity. Johnny is using his computer security skills for good and now helping teach children in Africa how to use computers and more. He is an excellent role model for an ethical security professional \u2013 I mean hacker. By the way, Johnny is a great speaker, so if you\u2019re looking for a great security presentation, contact him.OK, so what\u2019s the problem with the anonymous hacker\u2019s perspective? Let\u2019s discuss the next topic in our series on why security professionals fail.Problem #5 for security pros:\u00a0Hackers undervalue cyber ethics and accountabilityOftentimes, security pros quietly think they are above Internet laws, company rules and regulations. As the cyber police, bending (or breaking) a policy may seem acceptable, as long as no one catches you in the process. Sometimes, it may even seem to be required \u2013 like the state police needing to speed to catch a car going 100 miles per hour. \u00a0It\u2019s easy to identify with parts of this anonymous hacker\u2019s worldview. \u00a0\u00a0Cyber security experts typically describe themselves as white hat hackers who must have freedom to enforce the law. \u201cBending the rules\u201d may seem like the best way to help others online and\/or get your job done. Certain jobs may even promote cyber offense in our international cyber war. Nevertheless, if you are not in the military or the Department of Defense (DoD), I challenge you to read John Pescatore\u2019s article on mixing cyber offense and defense. There are also many other good blogs on this topic. Beyond cyber war and the good guys having the right tools to catch the bad guys, there can be a tendency to ignore \u201cmore mundane\u201d acceptable use directives. That is, security staff can download copyrighted material (movies and games), view porn at work, look at information that is private (like promotions, raises or other data from management), \u201cborrow\u201d passwords or delete log files to cover their tracks, etc. These acts may almost be viewed as \u201cthe spoils of war.\u201d Hackers come across this data once as part of their job, and later they become accustomed to accessing it freely. The trouble is that actions have consequences. This is a slippery slope. Or, more bluntly, "the road to hell is paved with good intentions.\u201d\u00a0Many experts point to the need for better and more thorough training (which I support), but Darth Vader was well trained. (If you\u2019re not familiar with the Star Wars movies or books, the talented, good Anakin Skywalker becomes the most evil and dangerous adversary of all \u2013 Darth Vader.) The reality is that the smarter you are, the more you advance as a cyber security expert, the farther you go as a hacker, the greater your temptation will be. As you learn what the enemy does and how they do what they do (in order to stop them), the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he\/she take a bit of the money while no one is looking? It seems so easy, so close and perhaps even innocent. Sadly, I have seen very talented computer pros disciplined for inappropriate behavior at home or work such as stealing property, downloading files or distributing child porn.\u00a0I personally know technically savvy staff members who are in jail, and I must say that I never would have guessed that certain \u201cexperts\u201d would turn to the dark side. Additionally, I have read and heard about\u00a0dozens of such cases. People are blinded to their own deceitfulness.The subtlety of this topic is that moral erosion happens gradually. How much money is enough? Many run background checks, but who can you really trust? Here are some soul-searching questions: \u00a0Do you act with genuine integrity at home and work? Are your actions violating polices and laws? Pressing further: Are you an insider threat? We claim to be focused on risk management, and yet I never cease to be amazed at how security pros underestimate the online risks they are taking in their personal and professional lives. They risk their job, reputation, marriage, family or even jail time. Bottom line, they think they will never be caught doing whatever they\u2019re doing in cyberspace. Solution #5:\u00a0Seek accountability, find a good mentor & practice virtual integrityThere seems to be two different (unspoken) schools of thought amongst security practitioners regarding cyber ethics:1)\u00a0\u00a0\u00a0\u00a0\u00a0 Go with the flow, practice situational ethics and don\u2019t lecture me. \u00a0(See anonymous hacker\u2019s interview above as an example.) This is not just a view that the ends justify the means, but also a renaming of right and wrong activities.\u00a0For example, stealing becomes \u201cdownloading files\u201d or lying becomes \u201cprotecting oneself.\u201d Or, I\u2019ve earned the right to break rules.2)\u00a0\u00a0\u00a0\u00a0\u00a0 Develop meaningful ethical boundaries and a heart-felt code of conduct that provides the foundation for everything the security professional does. Of course, even if you profess #2, you may tend to practice #1. No one is perfect. And yet, in my experience, few experts in our field want to talk openly about cyber ethics for security professionals, except for academic purposes. Breakout sessions on ethics seem to get the least attendance at security conferences, if they appear at all on agendas. If cyber ethics is discussed, presenters often offer material for children, privacy settings on Facebook and\/or topics like Chinese censorship. Meanwhile, others at home and work are watching. Security staff members complain that the enterprise isn\u2019t catching the vision of cyber urgency, but end users quietly wonder why the cyber police do the very things they forbid others from doing. They watch and hear as their much admired security pro is hypocritical regarding acceptable use policies, illegally copying movies and songs, bypassing security controls, or worse. Lone Rangers Are Dangerous: We All Need\u00a0HelpI realize that this is not a popular message for the hacker community to hear, but we all need partners who hold us accountable. Of the seven\u00a0problems I am discussing, \u00a0hacker ethics is perhaps the most difficult for\u00a0readers to accept. I fully expect to receive several sincere rebuttals. But while there are certainly many in the security community who are wonderful examples in this area, I think we all need to examine our motives and actions.I often get asked why I wrote the book Virtual Integrity. \u00a0While a full answer to that question requires another column, I am in the second camp. Ethics is important, not only my children when on Facebook, but perhaps even more vitally for veteran security professionals who know how to beat the system. Don\u2019t get me wrong, I am tempted and make mistakes like everyone else. I have come to realize that \u201cthere but for the grace of God go I.\u201d No doubt, we are all susceptible to slip and being honest about our challenges is a start.\u00a0Here are a few other ways to help in this area:1)\u00a0\u00a0\u00a0\u00a0\u00a0 Seek advice from respected colleagues regarding practical ethical behavior as a security pro. Find one or more accountability partner(s) who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists, athletes, and other experts are accountable to teachers or coaches. Everyone who strives to improve needs accountability.2)\u00a0\u00a0\u00a0\u00a0\u00a0 Find a trusted mentor who you admire in the industry. Make yourself accountable to this person regarding the direction of your professional career decisions. 3)\u00a0\u00a0\u00a0\u00a0\u00a0 Practice these seven habits of online integrity. After identifying your core beliefs and ethical boundaries, surf your values.Several years ago I was having lunch with John Stewart (Cisco VP and CSO) between sessions at RSA. We were discussing assorted security war stories. I asked him what motivates exemplary cyber ethics for his staff. He said something to the effect: if pros know that they will be held to account, they will usually act responsibly. \u00a0I agree with John\u2019s point. The more you want to grow in your career, the more you should seek out someone who can hold you accountable for your actions. If we are accountable to our management, spouse, family members, and\/or others we trust, we will enhance our careers and be less likely to follow the primrose path. A final thought, \u201ctrust but verify\u201d was a signature phrase of Ronald Reagan to describe Cold War treaty verification and other activities. But occasionally we need to follow Reagan\u2019s advice, do some soul-searching and ask ourselves: Are you an insider threat?Next time: Don\u2019t give up. Learning perseverance from an Ironman Triathlon champion.