While IT executives are keen to secure the best talent – a greater emphasis is being placed on the applicant’s character, a recent survey suggests.
The online survey conducted in June by the Society for Information Management (SIM) asked 231 IT leaders to name the top workplace skills they seek.
They overwhelmingly cited ethics and morals as traits they most desire both among entry-level and mid-level IT workers.
Headquartered in Chicago, SIM is an association of senior IT executives, prominent academicians, consultants, and other IT thought leaders.
Ethics trumps expertise
The choice of “ethics and morals” as sought after traits in new recruits easily beat out other qualities such as communication skills and business acumen, said SIM, which released the results of its annual membership survey at its SIMposium 2008 conference in Lake Buena Vista, Fla.
Many IT executives are concerned about stories they have heard of staffers doing “unethical things,” such as circumventing security systems, said Jerry Luftman, a professor at Stevens Institute of Technology in Hoboken, N.J., and SIM’s vice president of academic affairs.
Luftman, who also is executive director of the information systems graduate programs at Stevens, added that cheating scandals have roiled some U.S. colleges.
“It’s hot on everyone’s minds,” Luftman said. “This whole issue of ethics and morals is becoming paramount to IT executives.”
“To me, this is the price of entry into my [IT] department,” agreed Paul Major, CIO at The Aspen Skiing Co. in Aspen, Colo.
In a phone interview prior to the SIM conference, Major noted that he recently had to fire two people from his 20-person IT organization because they didn’t “exhibit the type of principles that we try to emulate with our team and in our company.”
Major also said prior to any discussions about technical skills during job interviews, he does a “gut check” of the applicants based on how they’re dressed and how they present themselves.
“Then I give them the spiel on the company’s guiding principles,” he said.
Mike Close, chief technology officer at The Dannon Co. in White Plains, N.Y., said that gauging the moral fiber of job applicants has long been a consistent part of the yogurt maker’s vetting process. It has done “a significant amount of hiring” over the past couple years, he noted.
Power of policy
Experts say the role of corporate policy in governing workplace ethics and clearing up gray areas should not be underestimated.
A good policy removes personal judgment from the equation as much as possible.
“If you haven’t published a corporate law of ethics, if you don’t set out your policy and your guidelines, if you don’t make sure that people know what they are and understand them, you’re in no position to hold [individual workers] accountable,” says John Reece, former CIO and deputy commissioner for modernization at the IRS and former CIO at Time Warner Inc.
Having clear ethical guidelines also lets employees off the hook emotionally if the person they discover breaking the policy is a friend, a direct report or a supervisor.
“So it’s not that I’m squealing on Joe, but that I have to be accountable to my employer, that part of my job is to enforce company policy,” says Reece, who is now chairman and CEO of his own consultancy, John C. Reece and Associates LLC.
That policy also should warn employees that their PCs are company property and thus any information on them is fair game for investigation, says Art Crane, principal of Capstone Services Inc., a human resources consulting company.
It should provide clear instructions on what to do when employees encounter a violation of the policy, including how to bring it up the chain of command, and include whistle-blower provisions that protect employees from retaliation.
But most corporate policies aren’t ideal. In many companies, they are ill-defined or at least not communicated strongly and in detail to the IT department. The reasons are several.
First, ethics policies are typically defined by an organization’s lawyers or compliance people, says Larry Ponemon, founder and chairman of the Ponemon Institute LLC, a research company that specializes in privacy and data protection.
“In my experience, these folks may not fully understand or respect the complexities that IT-related ethical issues create, such as privacy and data protection,” he notes.
Second, policy-makers often assume that IT workers — indeed, all employees – have an inherent responsibility not to misuse information or technology and to report any issues or problems, says Crane. But they still need to spell out that assumption in writing to be completely clear with their employees.
And third, ethical challenges evolve as technology advances, an evolution that can be hard for policies to anticipate. “I’d bet that 10 years ago, very few companies had a policy on e-mail usage,” says Crane. “These days, there are very few that don’t.”
In fact, technology sometimes creates an illusion that a particular behaviour is not wrong, notes Ramon Barquin, president of the nonprofit Computer Ethics Institute, which studies ethical issues that arise from technology.
“Technology has a way of putting distance between an individual and the consequences of their actions,” notes Barquin, who is also CEO of Barquin International, a business intelligence consultancy.
As a result, ethics decisions are often left to the individual. “What’s happening right now is it’s very much all over the place,” says Barquin. When the policy is inadequate, out of date, unenforced or nonexistent, people may do what they feel is right or try to duck the issue. “Looking back, they often say, ‘Well, what was I supposed to do?'” says Barquin.
It’s as if employers are in denial about the power that IT people have. “When an IT professional comes across some [sensitive] information — well, that shouldn’t be a surprise to anyone,” says Albert Erisman, executive director of the Institute for Business, Technology and Ethics.
The company should anticipate such situations and tell IT what’s expected. But “in my opinion, most companies try to put these questions off to IT people,” he says.
Even when companies have policies, they vary widely depending on a company’s size, culture, management, and whether it is public or private. And even the most detailed corporate ethics policy can’t cover every situation and/or may not be well known in all areas of the company.
Troubles, past and future
Some policies focus on areas where the company may have had past troubles or emphasize whatever the organization is most worried about.
When John Reece was at the IRS, for example, the biggest emphasis was on protecting the confidentiality of taxpayer information, he says.
At other government agencies, such as the U.S. Department of Defense, policies usually emphasize procurement rules, notes Stephen Northcutt, president of the SANS Technology Institute and author of IT Ethics Handbook: Right and Wrong for IT Professionals (Syngress, 2004).
“It’s quite often the case that if [a transgression] hasn’t happened yet, no one thinks of it or wants to focus on it,” says Leslie Ann Skillen, a partner at law firm Getnick & Getnick and an expert on fraud and corruption in business and government.
“That’s probably more common than you might think.”
Indeed, companies tend to be reactive rather than proactive, agrees Crane. “It often takes a smack upside the head to get companies to address exposures and behaviours,” he says.
Further muddying the waters, an organization that employs highly creative or highly skilled workers might be more lenient in certain areas.
When Northcutt worked in IT security at the Naval Surface Warfare Center in Virginia, it was a rarified atmosphere of highly sought-after Ph.D.s.
“I was told pretty clearly that if I made a whole lot of Ph.D.s very unhappy so that they left, the organization wouldn’t need me anymore,” says Northcutt.
Of course, that wasn’t written in any policy manual, so Northcutt had to read between the lines. “The way I interpreted it was: child pornography, turn that in,” he says. “But if the leading mathematician wants to download some pictures of naked girls, they didn’t want to hear from me.”
Northcutt says he did find child porn on two occasions, and that both events led to prosecution.
As for the naked photos that he encountered, Northcutt pointed out to his superiors that they might be a legal liability, citing a Supreme Court decision that found similar pictures at a military installation indicated a pervasive atmosphere of sexual harassment.
The centre then changed its policy.
“Once they saw that law was involved, they were more willing to change culture and policy.”
When policies aren’t clear, ethical decisions are left to the personal judgment of IT employees, but that judgment varies dramatically from person to person.
Where Northcutt pushed to get the policy changed, for example, another manager might have accepted the status quo.
Often the decision depends on the type, frequency and severity of the incident, as well as the possible consequences of action or inaction, observers say. Even people who insist on a high personal standard of ethics for one type of behavior may bend the rules in other areas.
For example, Gary, a director of technology at a nonprofit organization in the Midwest, flat-out refused when his assistant CEO wanted to use a mailing list that a new employee had stolen from her former employer.
Not only was it illegal, but “it’s morally reprehensible and I wasn’t about to participate in anything that would damage the reputation of the organization,” says Gary, who asked that his last name not be used.
However, when his boss installed unlicensed software on PCs for a short time, Gary acknowledges he was willing to look the other way.
He told his boss it wasn’t ethical and he refused to do it himself. But he didn’t stop it.
“The question is, how much was it really going to hurt anybody? We were still going to have 99.5 per cent compliant software. I was okay with that.” He says he uninstalled it, with his boss’s approval, as soon as he could – about a week later.