The Question the Cybersecurity Industry Has Been Avoiding
Every major profession that wields significant power over others — medicine, law, finance — operates under a formal code of ethics. Doctors can lose their licenses for self-dealing. Lawyers face disbarment for conflicts of interest. Financial advisors are bound by fiduciary duties that put their clients' interests first. Yet the Chief Information Security Officer, a role that now sits at the intersection of corporate risk, national infrastructure, and billions of dollars in technology spending, operates with no such governing framework. That gap is exactly what cybersecurity industry veteran Robert "RSnake" Hansen wants to close.
In Episode 19 of Dark Reading Confidential, Hansen laid out a compelling, and at times uncomfortable, case for why a formal CISO code of ethics is no longer optional. His argument centers on a pattern of ethically murky behavior that he believes has become disturbingly normalized across the industry: kickbacks, no-show jobs, conflicts of interest tied to venture capital, and the widespread purchase of "shelfware" — security software that is bought but never meaningfully deployed. Taken together, these practices do not just waste budget. They quietly erode the very security posture the CISO is supposed to be building.
What Self-Dealing Looks Like in Cybersecurity
To understand why a code of ethics matters, it helps to understand the specific behaviors driving the conversation. Hansen points to several categories of misconduct that, while not always illegal, represent serious conflicts of interest for security leaders.
Kickbacks and Vendor Relationships
The relationship between a CISO and the vendors they select is inherently fraught. CISOs control enormous purchasing budgets, and vendors compete aggressively for that spending. When undisclosed financial arrangements — consulting fees, equity stakes, or referral bonuses — influence which products a CISO recommends or purchases, the organization they serve is no longer the primary beneficiary of their judgment. The security stack gets built around personal profit rather than genuine risk reduction.
No-Show Jobs and Advisory Roles
Another concern Hansen raises is the prevalence of nominal advisory roles offered by vendors to sitting CISOs. In practice, these arrangements can amount to a form of deferred compensation: a CISO steers contracts toward a vendor, and in exchange receives a board seat, advisory title, or consulting arrangement that comes with compensation but demands little actual work. These arrangements are rarely disclosed to the CISO's employer, and the conflict of interest they create is substantial.
"Dirty" VC Connections
Venture capital has flooded the cybersecurity market, funding hundreds of startups eager for enterprise customers. When a CISO has undisclosed equity in a VC-backed startup — or a personal relationship with the fund backing it — their product evaluations cannot be trusted as objective. Hansen describes these entanglements as "dirty" VC connections precisely because they contaminate the impartiality that sound security decision-making requires. An enterprise that believes it is getting a rigorous, independent security assessment may actually be subsidizing an insider's investment portfolio.
The Shelfware Problem
Perhaps the most pervasive issue Hansen identifies is shelfware: security tools that are purchased, deployed superficially or not at all, and left to gather dust in a licensing agreement. Shelfware can be a symptom of poor planning, but it can also be a deliberate outcome when a purchasing decision is driven by something other than operational need. When a CISO buys a product they have no intention of fully implementing, the organization pays twice — once in licensing costs, and again in the false sense of security that the purchase creates on a compliance checklist.
Why the Stakes Have Never Been Higher
It would be tempting to frame these issues as internal corporate governance problems, relevant only to shareholders and audit committees. Hansen argues that framing is dangerously too narrow. The CISO role has evolved far beyond protecting email servers and managing antivirus subscriptions. Today's security leaders are responsible for critical infrastructure, supply chain integrity, sensitive government contractor environments, and systems that touch national security in ways that were unimaginable a decade ago.
When a CISO's purchasing decisions are compromised by self-interest, the consequences can ripple outward far beyond the affected enterprise. A hospital with a shelfware-padded security stack is not just vulnerable to a data breach — it is a potential entry point for ransomware that disrupts patient care. A defense contractor whose CISO has undisclosed ties to a foreign-backed vendor represents a national security risk. The stakes attached to CISO integrity are, in Hansen's view, high enough to demand the same kind of formal accountability we apply to other high-stakes professions.
What a CISO Code of Ethics Could Look Like
Hansen does not present a finished, codified document in his argument, but the contours of what an effective CISO code of ethics might include are relatively clear based on the problems he identifies.
- Mandatory disclosure of financial relationships with any vendor, VC firm, or startup that the CISO evaluates or interacts with in a professional capacity.
- Prohibition on undisclosed compensation — including equity, advisory fees, or referral bonuses — tied to purchasing decisions made on behalf of an employer.
- Conflict-of-interest recusal standards requiring CISOs to step back from procurement processes in which they have a personal financial stake.
- Accountability for shelfware through internal audit mechanisms that track whether purchased tools are actually deployed and delivering measurable value.
- Peer accountability structures that give the broader CISO community — rather than only employers or regulators — a role in establishing and enforcing professional norms.
This last point matters more than it might initially seem. Professions with strong ethical cultures tend to police themselves partly through peer pressure and reputational consequences, not just formal enforcement. A CISO community that collectively treats certain behaviors as disqualifying would go a long way toward shifting incentives, even before any formal regulatory framework emerges.
The Industry's Resistance — and Why It Must Overcome It
Any push for a formal code of ethics will face resistance, and it is worth acknowledging why. Cybersecurity is a field that prizes agility and informal networks. Many of the relationships Hansen flags as ethically problematic are defended by practitioners as simply "how the industry works" — a natural consequence of a tight-knit community where people move fluidly between vendor, practitioner, and advisory roles throughout their careers. Some will argue that heavy-handed ethics rules would chill legitimate collaboration and make it harder to attract top talent into CISO roles that are already notoriously stressful and high-turnover.
These are real concerns, and a thoughtfully designed code of ethics would need to account for them. The goal is not to criminalize professional relationships or pretend that industry experience is irrelevant to advisory credibility. The goal is transparency and the primacy of the employer's interests over personal financial gain. That is a standard every other senior executive is expected to meet, and there is no compelling reason why security leaders should be exempt.
A Profession at a Crossroads
The cybersecurity industry has spent years arguing for a seat at the executive table. CISOs have largely won that argument — they report directly to CEOs and boards, influence enterprise strategy, and command compensation packages that reflect their growing importance. With that elevation comes the responsibility to meet the ethical standards that other C-suite roles are held to.
Hansen's call for a CISO code of ethics is ultimately a call for the profession to grow into the trust that has been placed in it. Kickbacks, no-show advisory roles, opaque VC ties, and strategic shelfware are not just governance failures — they are betrayals of the organizations, employees, customers, and in some cases the public that depends on these leaders to make uncompromised decisions. A formal code of ethics would not solve every problem in cybersecurity culture overnight, but it would make clear that the industry takes its own integrity as seriously as it takes the threats it is paid to defend against.
The conversation RSnake has started is overdue. How the CISO community responds to it will say a great deal about the profession's maturity — and its fitness to handle the responsibilities it has claimed.