Ethics starts here

Chief information officers increasingly are expected to fill the role of chief ethical officer, with responsibility for creating an ethical culture.

The controversial five-year tenure of Dianah Neff, Philadelphia’s former chief information officer, culminated this past August in negative publicity for the official known in information technology circles as the architect of Mayor John Street’s Wireless Philadelphia project. Civitium, a company that worked on the city’s Wi-Fi initiative, announced that the former CIO was coming onboard as a senior partner. Neff had overseen the IT consulting firm’s work on the project. Neff’s critics howled, saying the move was a conflict of interest and a violation of ethics. Neff’s apparent impropriety is remarkable only because it is the most recent case to draw the public’s ire. The Wireless Philadelphia project is an ambitious plan to provide wireless Internet service to the entire city. Neff’s high-profile position was matched by an annual salary of more than $194,000, which made her the highest-paid member of the mayor’s inner circle. Neff had become well-known for racking up frequent flyer miles, traveling to at least 56 technology conferences, some abroad, according to the Philadelphia Inquirer. The newspaper reported that some of those trips were paid for by a for-profit organization that receives funds from wireless companies, including Earthlink, “the Atlanta company selected last year to build Philadelphia’s wireless network. None of the free travel was disclosed on Neff’s annual ethics statements.”City officials deemed the free trips to be gifts to the city, not Neff, and did not require her to disclose them. In September, Philadelphia’s board of ethics determined that Civitium did not violate city or state conflict-of-interest rules by hiring Neff, even though the former CIO had awarded the firm three contracts worth $453,000. Neff had also praised Civitium in remarks that she provided to the company for its marketing materials, and she participated in a podcast for Civitium while she was negotiating terms of her employment with the company, the city’s ethics review board reported. The board concluded that Neff did not break any rules or laws, but it nonetheless scolded the former CIO for those activities related to Civitium. “It approaches the level of being shocking for any city official, in the current atmosphere of scrutiny of official conduct, to proceed in any arguably questionable manner,” the board concluded in its report, which noted the apparent impropriety of Neff’s actions. “Although conduct that creates an appearance of impropriety does not explicitly violate any particular ethics law, such conduct tends to weaken public confidence in government,” the board wrote.According to the report, Neff dismissed the ethics board’s criticism of her as unfair.Have CIO ethics become too fuzzy? Of course not, said Michael Josephson, president and founder of the Joseph and Edna Josephson Institute of Ethics. “Ethics is knowing the difference between right and wrong and deciding to do right,” he said. Josephson is one of a dozen current and former CIOs and ethics experts who talked to Federal Computer Week about the ethical landscape that federal CIOs traverse and the routes they might take to avoid missteps. They described a topography that has become bumpier and increasingly difficult to navigate. Rules cannot ensure ethical behavior, the experts said. They suggested that effective CIOs go beyond prescriptive measures and strive to inculcate ethical cultures. Too often, CIOs wait for someone to tell them what to do, said Josephson, whose clients include the Defense Department. “The better CIOs are far more visionary than in the past,” he said. “A lot of them used to be technocrats, but the really excellent CIO is solving problems creatively and anticipating problems as well.”Josephson said a troubling issue facing contemporary IT managers is the ethical lassitude of many younger workers. He cited a recent survey showing that two-thirds of young people say they have cheated on an exam and more than one of four has stolen from a store. Some of those young workers have access to their organization’s computer systems. Those systems are like “a gigantic safe that includes all the most valuable information an organization has,” Josephson said, and the CIO must guard the safe. “CIOs have a role as policemen that they haven’t had before and that they aren’t excited about or trained to handle,” he said.As CIOs become established members of C-suite executive teams — joining top dogs such as the chief executive officer, chief financial officer and chief technology officer — they will gain more responsibility for calibrating the ethical climate, said Lisa Schlosser, CIO at the Department of Housing and Urban Development. Two years ago, HUD’s CIO reported to the assistant secretary for administration. Today, Schlosser reports directly to the deputy secretary. Schlosser said, “HUD helps our users to maintain ethics,” which she defined as what you do when no one is looking. She said federal agencies and their CIOs must establish ground rules for employees that recognize a duty to taxpayers, the concept of integrity and adherence to high ethical standards. For those reasons, HUD blocks employee access to Web sites devoted to activities such as e-commerce, personal e-mail and social networking. “New technology inserted into the environment has caused us to rethink and re-educate folks about the black and white of ethical behavior,” Schlosser said. “It’s making people aware of the gray areas.”Many observers say that the CIO’s oversight responsibilities have expanded exponentially in the past decade, and they need greater vigilance in dealing with vendors and contractors.  “You’re talking abut hundreds of billions of dollars every year,” said Patricia McGinnis, president and chief executive officer of the Council for Excellence in Government, a nonpartisan organization that promotes government accountability. “A person in that position has a lot to steward.”Agencies and their CIOs tread a fine line between collaborating with business partners and conducting procurements that are ethical and comply with laws and regulations, McGinnis said. CIOs must be careful not to swing too far in either direction.“That, in my view, does not mean putting a wall between you and private-sector enterprises,” McGinnis said. “There is a lot to learn [from vendors]. You don’t want the most highly regulated outcomes. You want the best value.” The attributes that contribute to an ethical culture also promote high performance within an agency, said Scott Mitchell, president and CEO of the Open Compliance and Ethics Group, a nonprofit group that helps private-sector organizations define rules of governance, compliance and risk.Three critical factors signal whether an organization has an ethical culture, Mitchell said. They are whether the organization has a strong vision, whether employees have a sense of accountability, and whether an environment of open communication and trust makes it safe for workers to raise issues without fear of retribution. “Ethics and culture provide a very important safety net so that when controls break down, employees have a guidepost that will appropriately direct their conduct,” he said.  Ethical cultures promote ethical behavior through incentives, which often mean incentives for speaking honestly, said Mark Forman, an information risk management specialist at KPMG and former administrator of e-government and IT at the Office of Management and Budget. In the absence of clear incentives, other forces hold sway, he added. For example, large IT projects, regardless of their shortcomings, are difficult to derail once they build momentum. Without a culture that encourages honest analysis, employees will be unlikely to speak out if a project is struggling, he said. “You are chastised if you are honest about the likelihood of success,” Forman said. “It’s very difficult for a CIO to say to the emperor that ‘there are no clothes here.’ ”Big ethical violations can be spotted a mile away. Subtle missteps are more difficult to track, and that is often the case with procurement improprieties.“An IT person with a background and experience with product X will prefer X over Y — perhaps because of personal bias, perhaps because it creates more job security — and not necessarily consciously,” said Corey Booth, CIO of the Securities and Exchange Commission. “I believe most people are very honest, but bias creeps in.” Booth illustrated that bias in a decision involving software. “If someone comes from an organization that had Documentum [Records Manager] as their document management system — assuming they didn’t dislike the product — they are likely to recommend Documentum again,” he said. “It’s better to go with the devil you know than the devil you don’t.”The soft bias of personal preference might seem like a small infraction, but technically speaking, Booth said, ethics violations “are anything that cause personal bias to intrude on what is best for the taxpayer.” He said most agencies lack formal ethics training for IT employees. “You can’t rely on the letter of the law in all cases to enforce ethics,” Booth said. “At the end of the day, more important than training is having leadership of the organization asking the right kinds of questions and creating the right kind of cultural environment, pushing on conventional wisdom, challenging assumptions.” Survey results support Booth’s contention. The Ethics Resource Center conducted a 2005 study of government employees and their peers at for-profit and not-for-profit organizations and found that having strong conflict-of-interest policies fails to make organizations more ethical if the organizations’ leaders do not promote high ethical standards. Paradoxically, having policies that prohibit conflicts of interest can undermine ethical behavior if those policies engender feelings that managers are hypocritical and untrustworthy, said Stephen Potts, a chairman of the ethics center’s board and a former director of the U.S. Office of Government Ethics. In his government ethics role, Potts said he frequently saw the importance of organizational culture in promoting ethical behavior. “There were some agencies that rarely had violations of conduct,” he said. “For others, it was more frequent. The difference was the commitment of the leadership at the top,” he said, regardless of political party affiliation. “Some organizations took the attitude of, ‘Let’s always try to cover up and make things look good, regardless of the facts.’ ”The opportunities for ethical lapses in the IT world go well beyond arguments of impropriety or misdirected dollars. In the realm of privacy and information security, the stakes are much higher. Improper disclosure of information can have devastating consequences, said Don Ulsch, technology risk management director and privacy director at Jefferson Wells, an international consulting firm. Cyberstalking is one of the fastest growing crimes in the United States, said Ulsch, who was a counterintelligence adviser to the Counterintelligence Office of President George H. W. Bush. Ulsch estimates that 40 percent of the investigations pursued by the computer crimes unit of the New York Police Department involve cyberstalking, which often precedes physical stalking and assault. A recent case of identity theft, he said, resulted in cyberstalking and murder. Federal CIOs often grapple with the ethical dilemma of assessing information systems security, Forman said. CIOs must abide by the Federal Information Security Management Act of 2002, which was enacted to improve the security of federal computer networks. The Government Accountability Office’s Federal Information System Controls Audit Manual (FISCAM) requires different information security tests, he said. “Can you say that you’re secure if you meet the FISMA standards when you know, based on FISCAM data, that your financial systems are not secure?” Forman asked. “CIOs have felt trapped by this ethical dilemma.”Robin Zablow agrees that providing information security is one of the CIO’s toughest ethical challenges. “The CIO is responsible for the process, for creating layers of protection and making sure they are effective and that they work properly,” said Zablow, senior manager in the litigation and fraud investigation practice at BDO Seidman, an accounting and consulting firm. “It is the gray areas that present the biggest challenges.”














A higher bar










The C suite







Procurement ethics




















Degrees of impropriety


















Truth or consequences









5 steps CIOs can take to create an ethical IT cultureDiego Maldonado, senior vice president of the Newberry Group’s
Government Technology Group, said that ethically responsible chief information officers try to ensure that:  

 1. Ethics policies and procedures include clear compliance requirements that organizations document and communicate to employees.

2. Due diligence in all aspects of managing information technology is part of daily operations and systems-related activities.

 3. All employees complete an ethics-training program.

 4. All ethics violations are reported, investigated and handled
expeditiously. 

 5. A system for due process is in place for addressing ethical
questions. 

— John Pulley


Definition of IT ethics is expandingThe ethical mandate of chief information officers is broader than ever before, said John Reece, founder and chief executive officer of John C. Reece and Associates, an information technology consulting firm based in Atlanta. In addition to traditional ethical responsibilities, CIOs are shouldering what Reece referred to as unrecognized or extraordinary ethical responsibilities.

Traditional ethics
  • Comply with and fulfill the oath of office.
  • Abide by laws and regulations.
  •  Uphold the agency’s mission and strategy.
  • Avoid conflicts of interest and undue influence.

Unrecognized or
extraordinary ethics

  •  Define an organization’s operational model and tune it constantly.
  •  Manage the organization’s enterprise architecture.
  • Develop an IT strategy and set priorities.
  •  Contribute to a smart IT culture.
  •  Maintain security of information and enterprise architecture.
  •  Contribute to the advancement of the organization’s workforce.
  • Set an ethical example and live up to it.
— John Pulley
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.