Ethics starts here

Chief information officers increasingly are expected to fill the role of chief ethical officer, with responsibility for creating an ethical culture


The controversial five-year tenure of Dianah Neff, Philadelphia’s former chief information officer, culminated this past August in negative publicity for the official known in information technology circles as the architect of Mayor John Street’s Wireless Philadelphia project. Civitium, a company that worked on the city’s Wi-Fi initiative, announced that the former CIO was coming onboard as a senior partner. Neff had overseen the IT consulting firm’s work on the project. Neff’s critics howled, saying the move was a conflict of interest and a violation of ethics.

Neff’s apparent impropriety is remarkable only because it is the most recent case to draw the public’s ire. The Wireless Philadelphia project is an ambitious plan to provide wireless Internet service to the entire city. Neff’s high-profile position was matched by an annual salary of more than $194,000, which made her the highest-paid member of the mayor’s inner circle.

Neff had become well-known for racking up frequent flyer miles, traveling to at least 56 technology conferences, some abroad, according to the Philadelphia Inquirer. The newspaper reported that some of those trips were paid for by a for-profit organization that receives funds from wireless companies, including Earthlink, “the Atlanta company selected last year to build Philadelphia’s wireless network. None of the free travel was disclosed on Neff’s annual ethics statements.”

City officials deemed the free trips to be gifts to the city, not Neff, and did not require her to disclose them. In September, Philadelphia’s board of ethics determined that Civitium did not violate city or state conflict-of-interest rules by hiring Neff, even though the former CIO had awarded the firm three contracts worth $453,000. Neff had also praised Civitium in remarks that she provided to the company for its marketing materials, and she participated in a podcast for Civitium while she was negotiating terms of her employment with the company, the city’s ethics review board reported.

The board concluded that Neff did not break any rules or laws, but it nonetheless scolded the former CIO for those activities related to Civitium.

“It approaches the level of being shocking for any city official, in the current atmosphere of scrutiny of official conduct, to proceed in any arguably questionable manner,” the board concluded in its report, which noted the apparent impropriety of Neff’s actions. “Although conduct that creates an appearance of impropriety does not explicitly violate any particular ethics law, such conduct tends to weaken public confidence in government,” the board wrote.
According to the report, Neff dismissed the ethics board’s criticism of her as unfair.

A higher bar
Have CIO ethics become too fuzzy? Of course not, said Michael Josephson, president and founder of the Joseph and Edna Josephson Institute of Ethics. “Ethics is knowing the difference between right and wrong and deciding to do right,” he said.

Josephson is one of a dozen current and former CIOs and ethics experts who talked to Federal Computer Week about the ethical landscape that federal CIOs traverse and the routes they might take to avoid missteps. They described a topography that has become bumpier and increasingly difficult to navigate. Rules cannot ensure ethical behavior, the experts said. They suggested that effective CIOs go beyond prescriptive measures and strive to inculcate ethical
cultures.

Too often, CIOs wait for someone to tell them what to do, said Josephson, whose clients include the Defense Department. “The better CIOs are far more visionary than in the past,” he said. “A lot of them used to be technocrats, but the really excellent CIO is solving problems creatively and anticipating problems as well.”
Josephson said a troubling issue facing contemporary IT managers is the ethical lassitude of many younger workers. He cited a recent survey showing that two-thirds of young people say they have cheated on an exam and more than one of four has stolen from a store.

Some of those young workers have access to their organization’s computer systems. Those systems are like “a gigantic safe that includes all the most valuable information an organization has,” Josephson said, and the CIO must guard the safe. “CIOs have a role as policemen that they haven’t had before and that they aren’t excited about or trained to handle,” he said.

The C suite

As CIOs become established members of C-suite executive teams — joining top dogs such as the chief executive officer, chief financial officer and chief technology officer — they will gain more responsibility for calibrating the ethical climate, said Lisa Schlosser, CIO at the Department of Housing and Urban Development. Two years ago, HUD’s CIO reported to the assistant secretary for administration. Today, Schlosser reports directly to the deputy secretary.

Schlosser said, “HUD helps our users to maintain ethics,” which she defined as what you do when no one is looking. She said federal agencies and their CIOs must establish ground rules for employees that recognize a duty to taxpayers, the concept of integrity and adherence to high ethical standards. For those reasons, HUD blocks employee access to Web sites devoted to activities such as e-commerce, personal e-mail and social networking.

“New technology inserted into the environment has caused us to rethink and re-educate folks about the black and white of ethical behavior,” Schlosser said. “It’s making people aware of the gray areas.”

Procurement ethics
Many observers say that the CIO’s oversight responsibilities have expanded exponentially in the past decade, and they need greater vigilance in dealing with vendors and contractors. 

“You’re talking abut hundreds of billions of dollars every year,” said Patricia McGinnis, president and chief executive officer of the Council for Excellence in Government, a nonpartisan organization that promotes government accountability. “A person in that position has a lot to steward.”

Agencies and their CIOs tread a fine line between collaborating with business partners and conducting procurements that are ethical and comply with laws and regulations, McGinnis said. CIOs must be careful not to swing too far in either direction.

“That, in my view, does not mean putting a wall between you and private-sector enterprises,” McGinnis said. “There is a lot to learn [from vendors]. You don’t want the most highly regulated outcomes. You want the best value.”

The attributes that contribute to an ethical culture also promote high performance within an agency, said Scott Mitchell, president and CEO of the Open Compliance and Ethics Group, a nonprofit group that helps private-sector organizations define rules of governance, compliance and risk.

Three critical factors signal whether an organization has an ethical culture, Mitchell said. They are whether the organization has a strong vision, whether employees have a sense of accountability, and whether an environment of open communication and trust makes it safe for workers to raise issues without fear of retribution.

“Ethics and culture provide a very important safety net so that when controls break down, employees have a guidepost that will appropriately direct their conduct,” he said. 

Ethical cultures promote ethical behavior through incentives, which often mean incentives for speaking honestly, said Mark Forman, an information risk management specialist at KPMG and former administrator of e-government and IT at the Office of Management and Budget.

In the absence of clear incentives, other forces hold sway, he added. For example, large IT projects, regardless of their shortcomings, are difficult to derail once they build momentum. Without a culture that encourages honest analysis, employees will be unlikely to speak out if a project is struggling, he said.

“You are chastised if you are honest about the likelihood of success,” Forman said. “It’s very difficult for a CIO to say to the emperor that ‘there are no clothes here.’ ”

Degrees of impropriety

Big ethical violations can be spotted a mile away. Subtle missteps are more difficult to track, and that is often the case with procurement improprieties.

“An IT person with a background and experience with product X will prefer X over Y — perhaps because of personal bias, perhaps because it creates more job security — and not necessarily consciously,” said Corey Booth, CIO of the Securities and Exchange Commission. “I believe most people are very honest, but bias creeps in.”

Booth illustrated that bias in a decision involving software. “If someone comes from an organization that had Documentum [Records Manager] as their document management system — assuming they didn’t dislike the product — they are likely to recommend Documentum again,” he said. “It’s better to go with the devil you know than the devil you don’t.”

The soft bias of personal preference might seem like a small infraction, but technically speaking, Booth said, ethics violations “are anything that cause personal bias to intrude on what is best for the taxpayer.” He said most agencies lack formal ethics training for IT employees.

“You can’t rely on the letter of the law in all cases to enforce ethics,” Booth said. “At the end of the day, more important than training is having leadership of the organization asking the right kinds of questions and creating the right kind of cultural environment, pushing on conventional wisdom, challenging
assumptions.”

Survey results support Booth’s contention. The Ethics Resource Center conducted a 2005 study of government employees and their peers at for-profit and not-for-profit organizations and found that having strong conflict-of-interest policies fails to make organizations more ethical if the organizations’ leaders do not promote high ethical standards.

Paradoxically, having policies that prohibit conflicts of interest can undermine ethical behavior if those policies engender feelings that managers are hypocritical and untrustworthy, said Stephen Potts, a chairman of the ethics center’s board and a former director of the U.S. Office of Government Ethics.

In his government ethics role, Potts said he frequently saw the importance of organizational culture in promoting ethical behavior. “There were some agencies that rarely had violations of conduct,” he said. “For others, it was more frequent. The difference was the commitment of the leadership at the top,” he said, regardless of political party affiliation. “Some organizations took the attitude of, ‘Let’s always try to cover up and make things look good, regardless of the facts.’ ”

Truth or consequences
The opportunities for ethical lapses in the IT world go well beyond arguments of impropriety or misdirected dollars. In the realm of privacy and information security, the stakes are much higher. Improper disclosure of information can have devastating consequences, said Don Ulsch, technology risk management director and privacy director at Jefferson Wells, an international consulting firm.

Cyberstalking is one of the fastest growing crimes in the United States, said Ulsch, who was a counterintelligence adviser to the Counterintelligence Office of President George H. W. Bush. Ulsch estimates that 40 percent of the investigations pursued by the computer crimes unit of the New York Police Department involve cyberstalking, which often precedes physical stalking and assault. A recent case of identity theft, he said, resulted in cyberstalking and murder.

Federal CIOs often grapple with the ethical dilemma of assessing information systems security, Forman said. CIOs must abide by the Federal Information Security Management Act of 2002, which was enacted to improve the security of federal computer networks. The Government Accountability Office’s Federal Information System Controls Audit Manual (FISCAM) requires different information security tests, he said.

“Can you say that you’re secure if you meet the FISMA standards when you know, based on FISCAM data, that your financial systems are not secure?” Forman asked. “CIOs have felt trapped by this ethical dilemma.”

Robin Zablow agrees that providing information security is one of the CIO’s toughest ethical challenges. “The CIO is responsible for the process, for creating layers of protection and making sure they are effective and that they work properly,” said Zablow, senior manager in the litigation and fraud investigation practice at BDO Seidman, an accounting and consulting firm. “It is the gray areas that present the biggest challenges.”
5 steps CIOs can take to create an ethical IT cultureDiego Maldonado, senior vice president of the Newberry Group’s
Government Technology Group, said that ethically responsible chief information officers try to ensure that:  

 1. Ethics policies and procedures include clear compliance requirements that organizations document and communicate to employees.

2. Due diligence in all aspects of managing information technology is part of daily operations and systems-related activities.

 3. All employees complete an ethics-training program.

 4. All ethics violations are reported, investigated and handled
expeditiously. 

 5. A system for due process is in place for addressing ethical
questions. 

— John Pulley


Definition of IT ethics is expandingThe ethical mandate of chief information officers is broader than ever before, said John Reece, founder and chief executive officer of John C. Reece and Associates, an information technology consulting firm based in Atlanta. In addition to traditional ethical responsibilities, CIOs are shouldering what Reece referred to as unrecognized or extraordinary ethical responsibilities.

Traditional ethics
  • Comply with and fulfill the oath of office.
  • Abide by laws and regulations.
  •  Uphold the agency’s mission and strategy.
  • Avoid conflicts of interest and undue influence.

Unrecognized or
extraordinary ethics

  •  Define an organization’s operational model and tune it constantly.
  •  Manage the organization’s enterprise architecture.
  • Develop an IT strategy and set priorities.
  •  Contribute to a smart IT culture.
  •  Maintain security of information and enterprise architecture.
  •  Contribute to the advancement of the organization’s workforce.
  • Set an ethical example and live up to it.
— John Pulley

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above