I view myself as an IT Professional. To me, that means that I have a basic, professional obligation to the trustworthy in whatever IT work I undertake. The foundation for that trust is my commitment to a Code of Ethics:

1. I will not place my interests or those of a colleague above those of a client or employer,
2. I will always attempt to be accurate in how I describe my experience and competence,
3. I will pay attention to best practices and selectively apply them in my professional work,
4. I will respect the confidential information I learn about colleagues, clients, or employers,
5. I will reveal any “hidden” information which might be viewed as a conflict of interest.

I can profess that I am committed to this code. I can commit to a Code of Ethics published by an association. But it's almost inevitable that such protestations will be viewed somewhat cynically – who but a thief protests that, “I am not a thief!” The real test is whether I have demonstrated, over time and in a variety of professional settings, that I am trustworthy. Will the people I have dealt with in the past attest to my trustworthiness?

Professional Ethical Obligations

At a high level, my five ethical obligations appear reasonable. What do I really mean by them? What has been left out, and why? Let me explain my position in somewhat greater detail ...

1. I will not place my interests or those of a colleague above those of a client or employer.

In many ways, this is the bedrock of trustworthy professional behavior. Harvey Gellman, one of Canada's first computer consultants, described this as, “The client in king.” The professional, by dint of his1 professional knowledge, skill, and experience, will see different aspects of problems or opportunities. He will understand the context in a way that would be difficult or impossible for clients to follow. His analysis and his recommendations could be self-serving, and the client might never know. One critical difference separate the professional from the non-professional – the professional always puts the client's interests first.

Ultimately, this can work in the professional's best interest. In the short-term, there will be some “opportunities” which the professional forgoes, in particular, those not in in the client's best interest. In the long-term, clients will learn they can trust the recommendations of the professional, and will be prepared to reward the professional with future business. This can also be described as an ethical obligation that the professional's intentions be trustworthy.

This may sound simple, but it can get complicated in practice. One complication is that it must be the professional who judges the client's best interests. It can be far from obvious whether the client is, or should be, focusing on their short or long-term best interests. And clients are typically organizations with a number of different stakeholders, not all of whose self interests are in alignment. Whose self interests should the professional serve? 

Another complication can arise when a course of action is solidly in the professional's favor, but would be just a bit sub-optimal from the client's perspective. The client's interests would be served, but not quite as well as an alternative course of action that was not nearly as favorable for the professional. My response in situations like this is to present the options to the client. Most clients can see the benefit of providing a win for the professional, assuming they would suffer only a minor additional cost.

A last point to consider in this context is the difference best interests of a client and an employer. It's common in IT for consultants to be employed by a consulting firm, but provide their services directly to clients of their employer. There can be conflicts between the best interests of clients and the best interests of one's employer. The same basic argument must apply. In most cases, it will be the client and not the employer who will be least able to judge the professional's analysis or recommendation. In most cases, the client's best interests must come before the employer's best interests.

2. I will always attempt to be accurate in how I describe my experience and competence.

An alternative version of this professional obligation has been presented as, “I will make sure that I have the necessary competence before undertaking any professional work.” Sounds good, but it would not work in practice, nor is it required of a trustworthy professional. Following such an injunction, the professional would never undertake new work. He would never learn on the job. Given the rapid pace of change in the IT field, one consequence is that the IT Professional who attempted to follow this obligation would soon find himself with no professional assignments.

We can only be partially competent to undertake new professional work. There will always be something new to learn during an assignment. Indeed, it will be in the best interests of everyone if the professional does need to learn and grow in all of the work he undertakes. And there is no ethical problem with undertaking professional work that would require you to develop new professional competencies. The ethical problem arises when you ask for such work, but do not accurately describe your competence to undertake that work. 

A related concern is how the professional positions his practice. There are professionals who concentrate on doing good, solid work in well understood and well established areas. Clients turn to professionals who have “been there, done that” for this kind of work. Professionals working in such areas are expected to bring demonstrated competence to assignments – there will only be limited acquisition of new knowledge and skills. Alternatively, professionals can position themselves as serving clients who want or need to have leading-edge work undertaken. Work in a new field will inevitably require learning new skills. The professional can decide how much he wants to go after leading-edge assignments. And that will significantly determine how much “been there, done that” experience is required to win the work.

3. I will pay attention to best practices and selectively apply them in my professional work.

This is a new professional obligation. Ten years ago, there were relatively few examples of best practices that could be widely applied in the IT field. The 21st century has seen the development and establishment of a growing number of solid, widely applicable IT best practices. The history of the CobiT best practice framework is illustrative of what is happening in the area. CobiT, (Control OBjectives for Information and related Technology), was created in 1992 for IT auditors. It's now up to version 4.1 and has been extended and expanded to provide a framework for IT management. 

The IT Governance Institute, the organization behind CobiT, has published a mapping to connect CobiT's coverage to the coverage provided by a baker's dozen of other widely used IT best practices – COSO, ITIL, ISO 17799, FIPS PUB 20, ISO 13335, ISO 15408, PRINCE2, PMBOK, TickIT, CMMI, TOGAF, IT Baseline Protection, and NIST 800-14. The IT Governance Institute has issued a Val IT best practice framework to help in the value assessment of IT efforts. That framework is now up to version 2.0. The IT Governance Institute is in the process of publishing Risk IT which will provide a best practice framework for assessing risk in IT efforts. 

It's all coming together. More and more of IT is covered by reasonable and practical IT best practices. This is clearly an opportunity for the IT Professional. A critical aspect of being trustworthy is providing competence that clients can trust. Some of that is covered by a commitment to accurately present one's experience and competencies. Some of that can be covered by a commitment to always consider best practices in work undertaken. This does impose an obligation on the IT Professional that he make himself aware of existing best practices that could be applied in work he undertakes. 

Any specific best practice may or may not be appropriate in a particular circumstance. There is always a cost associated with applying a practice. In a given circumstance, that cost may exceed the expected benefit. IT Professionals may, quite reasonably, recommend against the application of a specific best practice. But at least there will be a best practice reference that can be used to help assess the approach recommended and the approach that was actually followed. The IT Professional is in a position to support a claim to provide trustworthy competence.

4. I will respect the confidential information I learn about colleagues, clients, or employers.

The intent of this is clear. But there will always be decisions to make about what it should mean to “respect” confidential information, and decisions about when or whether information communicated as confidential can or should be revealed. The “respect” part is clear in my mind – I need to apply at least as stringent a set of controls as would my colleague, client, or employer. I may disagree about how stringent those controls should be – it's not my confidential information, but theirs. 

This means that I must not discuss confidential information in public place, and especially not in an elevator with other people. It means that I must not have confidential information visible on my computer display where someone else may be able to see the information. It means that I must not leave confidential information available in “public” places, such as on a desk that has been assigned to me in a client office. I will need to discuss some of the confidential information that I learn in discharging assignments for a client or employer, but only with those entitled to hear such confidential information.

There are a number of circumstances that would allow me to break free from this professional obligation. I may be told “confidential” information from a client, but subsequently learn the same information from a public source, e.g. a published article. My respect for a client's confidential information does not extend to cover information that has also been publicly revealed. I may be compelled by a competent legal authority to reveal confidential information. IT Professionals are not like lawyers – there are no laws protecting the confidentiality of information we learn from clients.

There are some interesting gray areas. Depending on the client and the assignment, the existence of a client assignment may be confidential. Some clients do not want the fact that they called in an outsider to be revealed. And many clients would not want any of the substance of assignments to be revealed. In my view, it's normally acceptable to name clients, but not to provide any specific information about assignments, at least not without the client's permission. 

5. I will reveal any “hidden” information which might be viewed as a conflict of interest.

All of us have a web of relationships and a history of experiences that we bring to any new assignment. Some of these relationships and some of that experience may be seen as giving rise to a possible conflict of interest. The key test, in my mind, is whether “hidden” information, if revealed, could be reasonably construed as giving rise to a conflict of interest. What makes this a matter of judgment is that “reasonable” depends very much on circumstances. If a vendor will pay me a finder's fee for business opportunities, then clients need to know that before I recommend the vendor. If I have a history, good or bad, with products or vendors, clients have a right to know that.

When in doubt, “hidden” information needs to be revealed. Once revealed, the client or employer may decide that the chance of a conflict of interest is too great – you get pulled from the assignment, or you never get the assignment in the first place. Most often, the client will be in a position to reach a reasoned judgment about the nature and value of whatever advice you may offer. There may be no conflict of interest in your mind. That doesn't count. What counts is the judgment of the client or employer about how to value your work, your advice, and your recommendations.

Beyond Five Ethical Obligations

There's nothing in my five professional obligations about the public interest. There's nothing about respecting the law. There's nothing about professional self-development. There's nothing about respecting my colleagues. There's nothing about supporting any professional society. There's nothing about non-discrimination based on race, religion, or ethnic background. There's nothing about being a good person. Aren't all of these points important to ethical behavior, especially ethical professional behavior?

My answer is “yes and no”. I recognize certain ethical obligations that arise from my intention to be, and to be seen as, an IT Professional. The five points covered in the first part of this paper focused exclusively on those ethical professional obligations. I also recognize that I should have some ethical aspirations as an IT Professional. The difference between ethical obligations and ethical aspirations is important. There will be a continuing struggle to achieve ethical aspirations. I alone am in a position to judge whether I have done enough towards achieving those aspirations. My ethical obligations are, however, subject to review and assessment by outsiders. Others can hold me to my obligations; only I can hold me to my aspirations.

I also recognize that I have and need to have a number of ethical obligations and aspirations as a member of several different communities. I'm a part of the community that owns the building in which our condo is located. I live in Toronto, Ontario, Canada and am a member of the respective municipal, provincial, and national communities. I have a summer place outside Toronto and am a member of that community. I'm a member of a number of communities and have ethical obligations and aspirations in connection with all of those communities.

Let me put aside, but not ignore, the ethical obligations and aspirations that accompany my membership in other communities, and concentrate on the obligations and aspirations which accompany my membership in the “community” of IT Professionals.

I have said nothing about any professional obligation to serve the public interest. In my view, it's only in the presence of a professional licensing regime that I should be under a professional obligation to serve the public interest. With licensing, the public would have given me certain exclusive rights to practice as a professional. It would be a reasonable quid pro quo for the public to expect that I would put no interests above those of the public. There is no licensing of IT Professionals in Canada, nor is there likely to be any general licensing of IT Professionals in the future. 

The public should not expect that I will always think first of the public interest. Moreover, I doubt that an obligation to put the public interest first is of much practical significance. Of necessity, I would have to be the judge of what is in the public interest. In very, very few cases is any action completely and unreservedly against the public interest. There are almost always pro and con arguments about the impact of an action on the public interest. I also feel that assigning a nominal first place to the public interest could weaken my recognized commitment to be trustworthy in the eyes of clients and employers. A commitment to the public interest would have little practical impact and could weaken the trust between me and my clients.

Okay, but what about professional self-development, respect for colleagues, and support of a professional society? All lofty aspirations. I'm personally committed to continuous self-development, and I believe my record of publications is reasonable testimony for that commitment. The only place, in my view, that self-development becomes a professional obligation is my requirement to apply appropriate best practices in all of my professional work. It takes time and effort to make yourself aware of existing and evolving best practices. That time and effort must be spent if we are to fulfill our obligation to deliver at least a best practice level of competence.

At the aspiration level, I have no problem with such goals as:

• I will continue my professional self-development throughout my career.
• I will provide appropriate recognition and self-development for colleagues.
• I will do what I can to appropriately use IT to further the public interest.
• I will support and do what I can to enhance the IT Profession and CIPS.

I subscribe to all of these aspirations and they become background considerations in all of my professional work. But they're aspirations and not obligations. The five points at the beginning of the paper describe my professional ethical obligations. They, and not a lofty set of ethical aspirations, provide the bedrock for my ethical and trustworthy professional practice.