Certified: The CISSP Prepcast

Welcome to The Bare Metal Cyber CISSP Prepcast. This series helps you prepare for the ISC squared CISSP exam with focused explanations and practical context.
In this episode, we are exploring a topic that is foundational to cybersecurity, yet often overlooked in day-to-day technical work—professional ethics. Specifically, we will focus on the ISC squared Code of Ethics, which every Certified Information Systems Security Professional must commit to and uphold. Ethics are what elevate cybersecurity from a purely technical field into a respected, trusted profession. They are the guidelines that shape not only how we do our work, but also how we conduct ourselves as professionals and as people.
In cybersecurity, trust is everything. We are often given access to highly sensitive data, privileged systems, and critical infrastructure. Clients, employers, and the public rely on us to act responsibly, make sound decisions, and protect what matters most. Without a shared ethical foundation, that trust breaks down. That is why the ISC squared Code of Ethics is such an important part of the CISSP journey—not just for passing the exam, but for shaping how we work long after the test is over.
Let us begin by looking at the broader importance of professional ethics in cybersecurity. Ethics help guide behavior, especially when the right choice is not clearly defined by law or policy. In cybersecurity, we often face complex decisions that involve multiple stakeholders, competing priorities, and evolving technologies. In those moments, it is ethics that help us determine the right course of action.
Acting ethically means respecting privacy rights, protecting confidential data, and minimizing harm—even when it may be inconvenient or costly to do so. It means being transparent with clients, honest about limitations, and diligent in our responsibilities. When cybersecurity professionals act ethically, it builds public confidence and reinforces the legitimacy of our work. When they do not, it erodes trust, damages reputations, and invites scrutiny or legal consequences.
Consider a situation where a security professional discovers a vulnerability in a system that handles customer information. Ethical behavior would mean promptly reporting the issue, fixing it responsibly, and disclosing it appropriately. Unethical behavior—such as ignoring it, covering it up, or exploiting it—can cause enormous harm. The consequences go far beyond technical issues—they impact lives, businesses, and entire communities.
Ethical behavior also strengthens organizational credibility. When companies respond to breaches with honesty and accountability, they are far more likely to retain trust. Conversely, when organizations try to hide incidents or mislead the public, the backlash can be swift and damaging. Professionals who act ethically during crises help their organizations maintain composure and resilience. They become trusted advisors who lead with integrity, rather than fear or self-interest.
Now let us take a closer look at the ISC squared Code of Ethics. This code is a formal set of principles that guides the behavior of all members of the ISC squared community, including those who hold the CISSP certification. It is not a list of specific rules for every possible situation, but rather a set of broad canons—core ethical duties—that professionals are expected to interpret and apply in their work.
There are four canons in the Code of Ethics. The first is to protect society, the common good, and the necessary public trust and confidence. The second is to act honorably, honestly, justly, responsibly, and legally. The third is to provide diligent and competent service to principals, which includes employers and clients. And the fourth is to advance and protect the profession.
Each of these canons reinforces a different aspect of professional conduct. The first canon emphasizes the societal role of cybersecurity. We do not just work for our companies—we protect the systems that power commerce, communication, healthcare, and democracy. The second canon focuses on character and personal responsibility. The third addresses the need to deliver high-quality, honest work. And the fourth challenges us to contribute to the growth and integrity of the cybersecurity field itself.
Every C I S S P-certified professional is required to follow this code. Failure to do so can result in disciplinary actions, including suspension or loss of certification. Allegations of unethical behavior are taken seriously, and ISC squared has a process for investigating and resolving complaints. The goal is not just to punish wrongdoing, but to preserve the integrity of the certification and the profession.
The Code of Ethics is also a powerful tool for making difficult decisions. It provides a clear reference point when you are navigating gray areas or complex situations. It reminds you that your responsibilities go beyond compliance—they include honesty, transparency, and service to the greater good.
For more cyber related content and books, please check out cyber author dot me. Also, there are other podcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Let us now discuss ethical responsibilities to society and the public. Cybersecurity professionals have a duty to protect more than just their employers’ networks. They must also safeguard public infrastructure, individual privacy, and the collective trust that underpins the digital world. When critical services fail due to poor cybersecurity, the consequences can be felt far beyond the organization.
Balancing individual privacy and societal security is one of the most delicate ethical challenges in cybersecurity. For example, law enforcement may request access to encrypted data as part of an investigation. Privacy advocates may argue that this undermines individual rights. The ethical professional must weigh both sides, understanding that security decisions often have broader implications.
Transparency is another key ethical value. When security risks or incidents occur, professionals must be honest with stakeholders. They must resist the temptation to withhold information in order to protect reputations or avoid scrutiny. Public trust depends on timely, accurate communication.
Ethical responsibilities do not stop at the organization’s edge. Professionals must consider how their actions contribute to global challenges such as cybercrime, misinformation, or digital inequality. They should promote security awareness, educate the public, and support efforts to build a safer digital society for everyone.
Now let us focus on ethical responsibilities toward employers and clients. This is where professionalism and competence come into play. As a C I S S P, you are expected to act diligently and competently in all your security duties. This means doing your best work, staying current on your knowledge, and avoiding shortcuts that could compromise safety.
Confidentiality is critical. You must protect sensitive information and ensure it is only used or shared for authorized purposes. Even if someone leaves the company or a contract ends, the obligation to protect their data continues. Violating confidentiality can cause irreparable harm to relationships and reputations.
You must also honor contracts, service level agreements, and other commitments. Be clear about what you can and cannot do. If you identify risks or limitations in your work, communicate them openly. If you make a mistake, own it. Trust is built on transparency and accountability, not perfection.
Conflicts of interest must also be avoided. If you have a personal or financial interest that could influence your judgment, disclose it. Do not let outside relationships or incentives interfere with your professional responsibilities. And if you observe unethical behavior—whether it involves colleagues, vendors, or partners—you have a duty to report it through the appropriate channels.
Now let us turn to the final canon: promoting and upholding the profession. Ethical professionals do not just protect systems—they also protect the reputation and standards of the cybersecurity field. This means supporting peers, sharing knowledge, and helping others grow in their careers.
Mentorship is one way to uphold the profession. If you have experience or expertise, consider sharing it with those who are new to the field. Support others through training, advice, or encouragement. Your efforts help raise the overall quality and integrity of the profession.
Participating in forums, industry groups, and continuing education is also part of ethical behavior. It keeps you informed, connects you with others, and reinforces a shared commitment to excellence. When we engage with the community, we elevate the profession together.
You are also responsible for addressing unethical actions you witness in others. Ignoring misconduct sends the wrong message and allows harmful behavior to continue. Speak up when necessary, using formal channels where appropriate. Your courage can protect your organization, your peers, and the public.
Finally, always strive to improve cybersecurity standards, frameworks, and practices. Provide feedback. Participate in working groups. Contribute to open-source projects. Your voice and your values can shape the future of cybersecurity.
Thank you for listening to the CISSP Prepcast by Bare Metal Cyber. Visit baremetalcyber.com for more episodes, robust study resources, and comprehensive support in your CISSP certification journey. Stay ethical, remain accountable, and we'll guide you steadily toward achieving professional excellence.