Calls Grow for Mandatory CISO Code of Ethics Amid Self-Dealing Concerns

A prominent voice in the cybersecurity community is pushing for a binding code of ethics for chief information security officers. Robert “RSnake” Hansen, a well-known industry expert, argues that the current lack of formal ethical standards allows some CISOs to engage in self-dealing that can jeopardize both private enterprises and national security.

Hansen points to a range of problematic behaviors, including kickbacks, no-show jobs, relationships with so-called “dirty” venture capital firms, and the promotion of “shelf ware”—security products that are purchased but never properly deployed. These practices, he contends, undermine the integrity of security leadership and erode trust in the profession.

The proposal comes at a time when the CISO role is under increasing scrutiny, with high-profile breaches and regulatory penalties placing pressure on security executives. A code of ethics could help standardize expectations around conflicts of interest and accountability, but no such framework currently exists at the industry level.

Critics may argue that existing corporate governance and legal frameworks already address conflicts of interest, and that a separate code for CISOs could be redundant or difficult to enforce. There is also debate over whether such a code should be voluntary or mandatory, and who would oversee compliance.

Hansen's call is likely to reignite a broader conversation about professionalizing the CISO role and ensuring that security leaders act in the best interest of the organizations and public they serve.