CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 25, 2026

Do CISOs Need a Code of Ethics?

Dark Reading Archived Jun 25, 2026 ✓ Full text saved

Dark Reading Confidential Episode 19: Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks its time for a CISO code of ethics to ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERSECURITY OPERATIONS CYBERSECURITY CAREERS THREAT INTELLIGENCE INDUSTRY TRENDS Do CISOs Need a Code of Ethics? Dark Reading Confidential Episode 19: Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks its time for a CISO code of ethics to ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security. Dark Reading Editorial Team June 24, 2026 Dark Reading's Becky Bracken: Hello everyone, and welcome to Dark Reading Confidential. It is a podcast from the editors of Dark Reading bringing you real world stories straight from the cyber trenches. I'm Becky Bracken, senior editor with Dark Reading, and I am here today with Robert "RSnake" Hansen to talk about something that I think is a pretty interesting subject. Welcome, thank you for joining us. Robert "RSnake" Hansen: Thank you for having me, Becky. DR's Becky Bracken: So, we're here today because a post of yours from LinkedIn caught my eye, focused on what you proposed could be a CISO's code of ethics. It was about a year ago and generated a lot of conversation and I've had other conversations around the edges of this topic. And so, I wanted to bring you here today to unpack your proposal from a year ago and talk to us about whether or not your thinking has changed.  Maybe we can start, for those of you who don't know, Robert Hansen has been in the industry for a long time. He is a world-class expert and now investor in Grossman Ventures. He's their CTO. So he has a really particular view of this. Related:2026 FIFA World Cup Faces Surge in Cyber Threats RSnake, tell us why you think we need a CISO code of ethics. Robert "RSnake" Hansen: Well ... I don't think we should need one. How about that? I think the world should be a place where we just sort of all know the right thing to do. There are no reasons why anyone would do anything other than what is in the best interest of their company. Because ultimately, what we really should be doing is making sure that the best interest of the company is being met, whatever that is, right? And the company will be the best one to decide for themselves what that is. So, when you're hiring a CISO, I would say most people would have the expectation that the job of the CISO is to provide the maximum amount of security that can be afforded with the budget's constraints and your technical constraints or whatever. And that's it, full stop. That's it. That would be the job, right? And unfortunately, I don't think that that is always the case. And it might be that there's quite a few cases, as a matter of fact, where it's more like whatever the CISO can do to not get fired, which is kind of a low barrier. oftentimes that ... well, yeah, for sure I agree with that. What I mean by being low, is not like reaching for the stars. It's just like trying not to get fired, which is everyone’s job if you think about it. So, it's kind of a low bar. Then beyond that, you think, OK, well, not just that, they're trying to improve the security of the company, reduce the spending in areas where there's been waste in their predecessors or whatever. And what we're finding is at least in many cases that I've been told anecdotally, there's a lot of spend in areas that is either completely antithetical to the security of the company or is shelf-ware. It's just being purchased for whatever reason. And it's never something that the CISO intends to deploy. Now, there could be a wide variety of reasons for that. They get a better deal on something else. And so, they're buying a bucket of things. Related:Stressors, AI Forcing Changes to Cybersecurity Teams If you remove all those sorts of kind-of-bad, makes-sense type of reasons, we're left with a bunch of bad and bad reasons, such as there might be some kickbacks involved. There might be some sort of backroom dealing with the investors that says, we'll give you a little slice of something down the road or something like that. Or at least that's a theoretical way that that could happen. Maybe it's not a monetary kickback. Maybe it's just like exclusive tickets to a show or something that's got no monetary value because there's no way you could buy any — you can't buy these tickets.  DR's Becky Bracken: Yeah, but how does this, the CISO role in this instance, differ from any other corporate officer in charge of an enormous budget? I mean, CISOs in many cases wield enormous purchasing power and people with purchasing power get the royal treatment. And how is that different in the CISO role, you think? Related:Operation Escaneo Signals Shift in LatAm Threat Landscape Robert "RSnake" Hansen: It is different in the job description sense in terms of the potential of bad actors getting in those positions and abusing their power. I don't think it's different. In fact, I have some pretty good anecdotes of where this happens in HR, for instance. Like big HR firms that want to place people will go and sign specialized agreements with hiring managers and saying, Look, we'll give you some crazy kickback, but you're always hiring from our stable of employees. Similar with CTOs, they will get a lot of different options and work a special deal with me and I'll let you into our company even if we have no interest at all in your technology or technology stack or whatever. So, I don't think it's different in the sense that there could be bad actors and some sort of kickback scheme involved, but I do think the job is significantly different.  Some people kind of argued, well, this should apply to everybody. Like, well, yeah, but, I could remove all the security specific things out of the code of ethics that I talked about. But I think the problem is security is one of those very niche areas that has national security implications. It's not just like we, we didn't deploy Salesforce after we bought Salesforce or something like that's annoying. That's a waste of money, but it's not a national security problem. Whereas if you deploy something that you really shouldn't deploy and you know you shouldn't deploy it and you're deploying it in a terrible way, but you're getting a kickback for it, that has big security implications for the company, for national security, et cetera, et cetera. So, in that sense, I think it is meaningfully different, with a massive distinction, with a difference. DR's Becky Bracken: Gotcha. Sure. All right, well, should we go through a few of your recommendations and see where we land on these? Robert "RSnake" Hansen: Absolutely if you'd like. DR's Becky Bracken: All right, OK. So, number one seems straightforward, but I imagine is not. A CISO must abide by their company's NDA code of ethics and employment contract. Why do we need that? Robert "RSnake" Hansen: One would argue we don't, they've already signed it. If otherwise, how would they be an employee there? And yet, I think it's probably the most important one on the list because one of the things you typically sign as part of your employment contract is that you're not going to take gifts or that you must disclose if you are going to take a gift or, and gift is kind of a weird word because it implies something you're given for free that's like a physical object. A gift could also be a contract for your spouse to go work on some side project that never needs to be completed kind of thing. So, there's other forms of kickback that it's not necessarily covered. But in any case, all of that should be disclosed to your manager if you are indeed following the code of conduct. And I'm finding that at least in some of these anecdotes, they're not disclosed. And that could have even led to some terminations, although I was never able to confirm that detail.  So, either way, I really do think that number one, have a code of ethics and then have it signed. Like agree to it. And I think by virtue of having an open code of conduct where you know, there's I think there's like 11 things on the list or 10 things on the list or whatever, by having everyone sign it in public it sort of sends a signal to the market that anyone who doesn't sign this, why wouldn't they sign it? It's not like it's particularly difficult to follow the code of conduct you've already agreed to. It's not like I'm asking for any net new things in that line. That should be a throwaway, easy one, should be non-contentious. And yet a lot of people did. They're like, “Well, I already signed it. So why would I sign this again?” I'm like, “OK, you know, do you see why it seems weird to me that that would even be a problem?” Like, well, you've already signed it.  DR's Becky Bracken: Yeah. Robert "RSnake" Hansen: Let's just move on past number one. DR's Becky Bracken: Yeah. And it would be helpful, I would imagine, because some people may go into an agreement and say, well, a no-show job for my spouse, that's OK, you know? And it protects everyone on both sides of the transaction. Robert "RSnake" Hansen: Yeah, and I just think that, so the original idea was to have this be like, let's call it a website or like, you know, some standardized — Dark Reading could even run it. You know what I mean? It doesn't have to be owned by me. Just a place where all CISOs can go in and say, “yep, I've signed this thing, I agree with it.” And then they can share it amongst their peers and their peers are looking at it and going, well, but I am not doing all those things. So, I have a choice. I can stop doing all those things and sign this thing. Or I'm going to lie publicly. And now I've inculcated myself or put myself in a very strange position when anyone points out the obvious that I'm not following it. DR's Becky Bracken: A little shame.  Robert "RSnake" Hansen: Well, I mean, I don't think it's shame. I think it's peer pressure to do the thing we were hired to do in the first place. I mean, I've been a CISO. I've held that position before. And I remember the very, very difficult decisions I had to make on a daily basis. I mean in some cases, it could be life-and-death type situations. As a matter of fact, it was kind of an important company. If you get it wrong, there's consequences. And the very last thing the company wants to hear is like, "By the way, I'm signing random agreements with random companies and it's all shelf wear. And I'm not doing anything really for your company. And yes, I'm going to get fired in 18 months, but that's OK. You know, I made my money on the way out the door."  You know, if they knew that I was that kind of person going into the thing, and it was just sort of a checkboxy. So, would they have hired me? I think not, you know. DR's Becky Bracken: You can also understand how it could be human nature to say, “How long is my shelf life in this company? I need to be thinking about my next move.”  And I mean, you've seen plenty of CISOs who have ventured out and said, “You know what, I'm going to go serve as a field CISO for a vendor,” or something like that. I mean, how do you know what is smart networking, and what is a conflict of interest at that point? Robert "RSnake" Hansen: Yeah, I mean, I think that's fine to have a life after a CISO. I don't think there's anything wrong with that whatsoever. But if you had the life after CISO while you're having the life as a CISO, that's a problem ... but also it could be fine, right? It could be completely fine because, see, this is the fun part about this whole thing, because there's a totally a valid good way to do all this stuff that is nothing up my sleeves. I could be completely on the up-and-up. CISOs have part-time things I'm doing on the side, like unrelated, non-conflict of interest type things. Or I could take on an advisory position on a very important vendor that we really want to bring up. And my executive team's like, "Yeah, jump on the advisory board." Yes, there might be some compensation there. We don't really care because we really want this thing to work. And so, we're investing in them by letting you have some time off to go spend with them. DR's Becky Bracken: Right. Robert "RSnake" Hansen: And if you get a little money on the side, who cares? Like if they're in the know on that, I don't think there's any conflict there at all. I think you're good to go. DR's Becky Bracken: Right. I see what you’re saying. All right. Well, let's move to number two, because these are pretty good. Number two, “A CISO must disclose any remuneration, equity, cash, promises of future positions, gifts of any size, even if they are claimed to have no value or kickback of any kind to their employer. This includes consulting agreements, payments made to spouses, or any other way that the CISO may financially benefit or otherwise benefit.”  So, kind of the same thing goes to the transparency issue. Robert "RSnake" Hansen: Yeah, just explain it to your executive team. If they say, “No problem, I don't care,” then there's no conflict. So, I don't think CISOs should be scared of that. I don't think there's anything weird. I've actually seen some deals where I was sure, I was positive, that the executive team would see conflict and they decided there really wasn't from their perspective. I'm like, "OK, well, eyes wide open." I wouldn't have made that decision personally if I were them, but ... if they believe that there's no conflict there, then I think that's completely fine. DR’s Becky Bracken: OK. Three, "If a CISO has a consulting practice, the customers and nature of the consulting agreements should be made transparent." As you said, to the CISO's employer and should be free of conflicts. Same thing. DR's Robert "RSnake" Hansen: I think this is kind of restating number two. You might even be able to shove two and three together there. But what I've found is that quite a few CISOs do have third-party consulting practices that they run. And I have anecdotal evidence that a lot of them get no-show type kickbacks through those consultancies. So, if that's the case, it should be very transparent to the executive team that that's what's going on. DR’s Becky Bracken: Yeah. Robert "RSnake" Hansen: Because they're seeing the contracts fly by and they're like, "OK, no problem here," kind of thing. You don't have to disclose the nitty gritty underlying parts of what's happening necessarily. Like you don't have to disclose confidential information, but if it's literally, you're working for this vendor, the one that you're currently evaluating, like I would like to know that, like what's going on with that contract. DR's Becky Bracken: I watch CISOs be courted and feted kind of a gross degree. I just moderated a panel where they were yelling, I mean, these are composed professionals who were like, “Stop sending me LinkedIn things!” So there is a lot of pressure on these folks as well. So, walk me through one of these [situations]. What kind of size of contract do you think it would require for me to get one of these? What kind of dollars are we talking about? Robert "RSnake" Hansen: I've heard different numbers. The highest numbers I've heard are in the low millions of dollars. And then a lot of them are, you know, handfuls of tens of thousands, you know, it's not necessarily huge contracts. But if you think about it, if you're an average CISO and you do like, you know, 10, 20 vendor contracts over the 18 months you're there or something, that could end up being quite a bit of money; a couple hundred thousand dollars in your pocket that you didn't have otherwise. So, these could be quite meaningful contracts even on the small end. On the high end, these are very substantial numbers, very substantial. And that's not the only way they get — allegedly anyway — I was never in the room, to point that out.  Also, another thing to point out is that some of the people who were alleged to have done these things in the past have since, I have it on fairly good authority, stopped doing some of this activity. It was deemed to be totally legal on the up-and-up and they weren't doing anything wrong, but it had a bad look, so they ceased it according to some documents I've seen.  But if I'm an average CISO and I'm being courted by like, let's say a malicious or not malicious exactly, but a sort of "dirty VC." One of the ways this can happen is I can say, "Look, you can invest in my VC; call it a million dollars or something; and we'll let you invest. And you don't have to pay us. We'll just give you this thing, and you'll pay us out of the upside." And so, there's no risk and there's only upside. Or: "We'll give you shares in our fund to as a consulting, you know, kickback or whatever." They don't call it that, but you know what I mean? And then when everything goes to the moon, which you're highly incentivized to make that happen now, you see the upside. And which actually, I think that second one is actually closer to being something I think would be OK as long as your leadership knew it and or you had no, probably and, you had no say at all in the investment thesis at all.  So if you're totally hands off and you don't have anything to do with who's chosen, you don't have the authority to make a choice anywhere in it, and you're telling the executive team, like, “I'm invested in this thing, conflict of interest, conflict me out of this decision and here's how I'm making money if this thing goes well,” you can work around it and actually be fine, I think. I think it's totally actually fine. But you know, there's some hoops you gotta jump through when you're doing things and when you're serving two masters. DR's Becky Bracken: Yeah. So if I'm a CISO and I want to go to an F1 race that I would never have access to, are you against that? Is that cool by you? As long as I'm telling everybody that it's a vendor trip. Robert "RSnake" Hansen: As long as your team knows that you're getting this benefit, I don't think there's anything wrong with it. If your executive team is like, well, then what do you expect to do when you're there? Like, it's a time share. It's a vacation, but it's not a vacation. What's going to happen here? If that's going to influence your decision making, then we want to know exactly which way.  But if it's a way to get to know the vendor and you're really actually serious about buying it and you need to spend some quality time, sit down and really understand, or sales execs are going to be there and they're going to really like walk you through everything. Like you could make a very high utility trip out of something like that. And if it's disclosed, why wouldn't they allow you to do that? Especially if you're having fun, you know, go for it, have a good time.  But it's where it's where it's the other one where it's like quietly, stealthily influencing your decision making and you would never have chosen this vendor normally in our normal situations. You won't even use the vendor at all. In some cases, allegedly, these companies are chosen and they literally cannot work in the environment of the company that brought them in. Like it won't install. And like, why would you have ever technically chosen that? And it's not like they didn't know that. They actually knew that ahead of time. So it was chosen despite the limitations. DR's Becky Bracken: Wow. Robert "RSnake" Hansen: And so, the only way that that makes sense is if someone's getting something in return, right? There's no upside at all. And that's where the company, whether I'm the shareholder of that company or an executive of the company where that money really does matter and it can be used for other things, that's where I start wanting to see some heads roll, if that makes sense. DR's Becky Bracken: Right. Yeah, that's pretty reckless. OK. As you said, [in the original LinkedIn post on the topic] where conflicts are unavoidable, the CISO must recuse themselves, seems reasonable. In addition, the CISO may join customer advisory boards as long as their company authorizes it. And if compensation is offered, it should also be authorized by the CISO's employer. We covered that. If a CISO invests their personal money into a vendor or joins a board of a vendor, they must be free of conflict by recusing themselves from any conflicted product evaluation. Now this one I would imagine could get squishy because again, there is an incentive. There is a reason why you would want your CISO in the guts of an up-and-coming vendor. So how do you slice that one down? Robert "RSnake" Hansen: Mm-hmm, for sure. So that's where you have a staff, right? That's where you have other people on staff and you're like, "OK, look, everybody, so you know, here's the reason I like it. Here's the reason I chose it. But I have to step out of the room for all these evaluations. You guys will have to tell me which ones you choose. If you chose the one I like, great. If you don't, well, I'm just gonna have to live with that."  Because if you're in the room and you're staring at people and saying you can't ask that question or like trying to reframe the conversation; trying to pivot everything around to your way of thinking; you're definitely going to be influencing this. Your employees are going to feel that they have no choice. And if they have no choice ... DR's Becky Bracken: Even if it's not intentional, I would imagine if you're heavily involved in something and you're going to … I think you're right. Stepping out of the room would, it would be hard to be impartial if you were … Robert "RSnake" Hansen: It would be really hard, right? And so that's where if you have a staff, you just have to empower them. They're smart people. You brought them in for a reason. You're going to cede the buying authority for that particular thing.  You know, you have typical budget constraints you'd always have. We have to work within this size of budgets and whatever, but like you have to step back. Now there's some wiggle room to be bad in these constraints. If you're the low-cost vendor, it's like, well, our budget's only at the level that we allow or whatever. So, there's some hinky things that can be done there.  But I think for the vast majority of cases, this could be dealt with just by saying, “All right, I don't control the budget for this particular line item. I don't control this like CFO and whoever works for me, you're gonna have to figure this one particular detail out because I'm too conflicted.” I think that's doable. It's annoying. So as an executive, if I knew one of my employees was one of these kinds of people, I'd be a little hesitant. It's like, well, we're going to have to buy EDR someday and you're investing some EDR vendor. It's like, how much of a pain is that going to be for me to have to work around you? It’s like you're adding some conflict there that I'm not sure I want to have to deal with.  But, you know, a lot of companies don't really think that far ahead and they'll just go for it. This is why I think disclosing ahead of time is really your best friend. Because that way, if the company doesn't like it, well then, you go to some other company. If they don't care, then great, you found your home and you're ready to go. And if they do care, but they allow a carve out for you, great, you found your home. There are ways around all of this. DR's Becky Bracken: OK, we are at number seven. All vendor products and services should be evaluated on efficacy, price, compatibility, and utility to the company and documented accordingly. And this goes back to what you were saying about a completely incompatible piece of hardware that was never … Robert "RSnake" Hansen: Right, right. Or like crazy expensive when it was unnecessary. Like we could get the exact same product, exact same features. Why are we picking the one that's 10 times as much? Like why? DR's Becky Bracken: How often is something like that happening? That seems like an egregious outside example, but how outside is it? Robert "RSnake" Hansen: Well, I certainly don't have stats, but I have definitely heard rumors around the water cooler of this occurring. And when it does occur, it's so large.  It's also stair stepped. It looks like what tends to happen is when the vendor does this kind of thing, when they start doing these kickbacks, what'll happen is they'll start with small ones and then they'll get slightly larger, and then slightly larger, and then slightly larger. So, it looks like a nice ramp, but at the end, those numbers can be multimillion dollar contracts.  DR's Becky Bracken: And you’ve got your kids in a nice private school, and now you need that money. I mean, I got it. Robert "RSnake" Hansen: Right. So, I think this happens more in companies like the B and C stage than where it gets these large numbers, I should say. I think it happens at all levels, but I think the very largest bribes or whatever, if they are happening at all, they're probably happening more in the B and C timeframe, if that makes sense. Cause that's when you need your valuation, like really hockey sticking up. And so those numbers really matter. DR's Becky Bracken: Right. And user numbers and that sort of thing. How blatant are vendors about this? Does everybody just kind of go in, ha ha ha, know, elbowing each other and knowing how this works? Are these they built into negotiations? Like how does this subject even get broached between the vendor and the CISO? Robert "RSnake" Hansen: I have not been in the room in most of the cases. So, I really don't know most of the time. I will say I have seen it on the other side. Once where I was the vendor and I was being asked to give a kickback, which I thought was very strange. And at the time I think I was just maybe too naive or something. I didn't even know what was happening. He was trying to get on our advisory board and I'm like, “But the problem is you don't know anything about our company at all. Like nothing.” DR's Becky Bracken: What was the ask, if I can ask you?  Robert "RSnake" Hansen: Exactly! I think that's where I got stuck. I'm like, “I don't get why I would do that because like, you don't know anything.”  If he had been like much more of an expert, I would have considered it because he was a pretty big client. And so, I think that's why I was confused. I'm like, "No, I don't think I will do that." But it was [an ask for a bribe]. It sounded stupid. So, I think I was naive and the ask was bad. So I just didn't catch what was happening. DR's Becky Bracken: Mm-hmm. Two ships, passing in the night kind of a thing. Robert "RSnake" Hansen: Right, I just didn't catch what was going on. But years later, when I knew, when I started finding out that this might be happening at greater numbers, that's when it kind of all clicked. “Oh, that's what that was!” And I was too dumb to offer it to him. And so of course he didn't buy because I didn't offer him the thing he wanted. And I didn't capture it at the time.  DR's Becky Bracken: You didn't understand the lingo. Robert "RSnake" Hansen: He was even very clear in the end, but still, the ask still didn't make sense. He was more or less, “I'm the gatekeeper to all these companies. So if you do it for me, then I'll get you in not just my company, but many other companies. And I'm like, yeah, but you, like I was picturing him trying to sell us when he didn't know what we did. And I'm like, that's not gonna work. Yeah, yeah, I'm good. I'm good guy, you know. DR's Becky Bracken: Gotcha. I got way better people to spokesman for our deal over here. Interesting. So, your vision then, I'm sorry. Let's get through the rest of these because I think this, especially (RSnake’s CISO eithics guideline number) nine, is very important. So, number eight is CISOs should have at least one party that double checks their conflicted status on every purchasing decision and can veto accordingly if a conflict is seen. So again, that's a staffer, a CFO, somebody outside of your purview. Robert "RSnake" Hansen: Yeah, I picture the CFO, it could also be the CTO. I mean, there's other people, it could be in the company, but yes. A delegated person just to make sure there's no conflicts. I actually don't think that's even particularly contentious. DR's Becky Bracken: OK. No, I mean, I think everybody would like to be more accurate and more intentional in their stuff. All right, and then number nine, for national security reasons, CISO should not become advisers to any other security companies that are not domestically housed in the same country as their employer. Talk to me about that one. Robert "RSnake" Hansen: Well, this is the one that everyone hates.  And, you know, so the original thinking was if I was a foreign national and I'm like, hmm, if I was going to build an op against, you know, the United States as an example, one very cool way to do it is to get a situation where lots and lots and lots of companies can get put into environments when they really weren't the right solution at all. But it doesn't matter because they phone home to us and now we get access, plus we actually get a whole bunch of people who have now taken bribes that we can, you know, kind of convince them that they don't want to go to jail. So, you'll do other things for us, et cetera, et cetera. So, it's a really good op, right?  It's like, it turns out that it's a very nice way to get a whole bunch of people to do things you want. I'm not saying that is what happened or even that anyone thought about it, but I just don't like the smell of it personally. I think that's really, really dangerous. Furthermore, if you believe that security matters, and I tend to be in that category, and you believe that national security is improved or reduced by virtue of individual companies' contribution to it, which I firmly believe is the case, then you also believe that nation states do attack in many different ways private entities, then you really are in a geopolitical game. Whether you want to be or not, whether you care about it personally or not, you are in the game. And so I'm just trying to figure out a way that we can make absolutely sure that balkanization, which is not necessarily the greatest thing for our industry in multiple ways, but if we're going to do it and it looks like there's lots of examples of where it's already starting to happen, then we don't start creating conflicts cross countries, or an instance where you have somebody who's conflicted between serving their national interests and some foreign interests. DR's Becky Bracken: What are some examples of that? Can you give me one? Robert "RSnake" Hansen: I could probably give you a thousand. So, let's say, I'm selling some RF communication equipment or something, but I'm selling it to one country or lots of different countries. Well, I might not care so much about national security if I'm selling it to lots and lots and lots of countries as an example.  Well, if I'm a CISO and I'm now on the advisory board of companies where they are, it kind of makes sense that I'd share internal information to these companies because like it's helping them, but that's actually a foreign adversary. Now you've just helped out a foreign adversary. It would be bad enough that it leaked out of your company, but it's far worse if it reaches the foreign adversaries. So yeah, I could literally come up with hundreds of examples of where this would go terribly wrong.  Like banking infrastructures and you know, here's how to sell into these banks and do these crazy things. And we can, you know, connect you to exactly the right people and I'll get you in exactly the right meetings. And, now it's like all of a sudden, you have four nationals right in your banking systems or right into your backup or supply chain management or whatever. So there's, there's lots and lots of places where this can go terribly wrong. So rather than trying to solve, like every single security all at once. I was like, OK, well, if we could just lock it into your region, whatever region you're in, that would actually solve a lot of these problems because then you're really tied to your geography and you're really locked into helping your country, wherever country you're in.  It doesn't have to be United States, whatever country you're in. And you're no longer conflicted by virtue of serving two different national security interests at the same time. DR's Becky Bracken: And such a good reminder that enterprise security is national security is enterprise security. It's all hand in glove. Robert "RSnake" Hansen: I was at this IT-ISAC meeting many, many, years ago and the guy who led it at the time, there was a bunch of mega-corps in this meeting and he's like, "I realize we're about to have a meeting with some people who don't even have business cards from some government agency or whatever." They literally just have a number on a card and they hand it to you. No name if they do have a card at all. DR’s Becky Bracken: Spooky. Robert "RSnake" Hansen: It sure was. And so, he's like, "You know, I realize everybody in this room is a multinational and you have to be selling to many, many different nations, but you are all American companies." And so that's the only reason I think you might actually take this meeting and take it seriously. And like, he's not wrong, right? When you, when you have multinational companies and you have a global ecosystem and you have, you know, interstate, international commerce, and you're starting to pass through multiple jurisdictions at the same time, there's a lot of complexity here. And I'll be honest, I really don't think most people have thought about the geopolitical ramifications of even simple things like basic contracts, let alone like what might be happening with the data and the advice that they're giving cross borders. So, this was the most contentious one (among the cybersecurity community following his initial proposal for a CISO code of ethics) by a long, long, long margin. DR's Becky Bracken: Because cybersecurity was built on that international collaboration, I mean, that's sort of the foundation of the entire enterprise, right? Robert "RSnake" Hansen: So, you know, a conspiracy theorist would say, well, yes, that's exactly what a foreign national would be doing is trying to convince you to remove that one line. Right.  Or, you know, people have very good points like, "Look, there's a lot of really good companies that live all over the world." True. But we also had like Kaspersky, you know, and, you know, they were a good company and they're also Russian and they also might be doing other interesting things. DR's Becky Bracken: OK, OK. Touché. Robert "RSnake" Hansen: You know, so I think a lot of these, you know, very heavily state connected companies, I could see why someone would feel comfortable joining their board and, you know, helping out or whatever. I got asked to go work for a company called Blekko, which was a search engine company that was basically absorbed at least partially by Yandex. I'm like, I am not helping Yandex. Like, you know, it's a different company. I'm like, "OK, but show me how the data flows" and it looked like it all was going into Yandex to some degree. And I'm like, "Can't help you, I'm sorry." DR's Becky Bracken: And I also wonder that as geopolitical sentiments harden, if this might feel more oppression in the coming years, because I think based on my reporting, Europe is starting to look twice at the tech that they're even using from the US. And that seems like a leading indicator. Robert "RSnake" Hansen: Of course. As they should, because we are under no obligation to protect Europe. You know, they are a different nation and even our direct allies, the Five Eyes, the ones that we share most information with, we spy on each other all the time. For the purpose of our national security apparatus, we're not allowed to spy on ourselves domestically, but we are allowed to take data from one of our partners that spied on us and then utilize that. And so, we're always spying on each other. So, if someone sends out a box to some other country and it starts misbehaving, well, no kidding, of course it did.  So I think Balkanization is unfortunately the wave of the future. I think that's how everything's gonna end up going. And because of advancements in AI and less centralization of chip manufacturing, I think we might end up really seeing a lot more of that take off. DR's Becky Bracken: All right, because this was a year ago, and you said that you got some pretty strong responses on the foreign national companies. What was the reaction? That’s not realistic, that's too draconian. Is that what the complaint was? Robert "RSnake" Hansen: Mm-hmm, to say the least. Yeah, yeah. and, like missing the forest for the trees. Like basically (that guideline against sharing information with foreign companies) would be cutting off a lot of our pipeline of best products that come from other regions in some cases.  And that may or may not be true. I'm actually not convinced that is actually a true statement. But what I am convinced of is either they feel confident in that, or they feel confident enough to say it out loud and feel like they're not gonna get called out for it.  Either way, it doesn't matter because ultimately, we really can't get this wrong. You know what I mean? Like we can't get it wrong. And so, their entire bet is that they got it right. And my bet is, you can't know. You really don't know, which I think is a far safer bet. So, if you're going to have to make a bet, at least bet with your supposed allies, you know what I mean? Because sometimes these are not even allied countries that they're buying from or advising or whatever.  So, I think there's a lot of room for conversations on this one and I'm not married to it, but I'm glad I put it out there. And by the way, it dissuaded me from going any further on this project was all the feedback because I felt like it was an educational lift that was gonna be so difficult that the average CISO would not be able to follow it. Not that they couldn't if they focused on it, but they would just inherently kind of knee-jerk a reaction, go, "No, no, no, I have my favorite vendors overseas and I'm gonna work with them no matter what." It's like, well, I don't doubt that there is some talent and is some technology that's coming from other places that is good. I'm not saying that. But I do think that helping other nations grow in technological superiority over whatever nation you belong to is probably a national security concern to some degree? DR's Becky Bracken: I would dare say that is an America-first perspective. Robert "RSnake" Hansen: Well, or country, whatever country you're from, right?  If you're from Germany, I'm sure I would feel that if I was from Germany and they were from Germany, yeah, yeah, ethnocentric or country centric view of the world, I guess, which, you know, some people really, really, really hate that stuff and they want it to be one world. Everybody's all uniform and full interconnectivity. But all we've seen is more balkanization.  Like you can't, I can't even right now, I can't go and download the Russian version of NVD, because of the entire Internet's off. From my perspective, I can't reach any of it. And so, if you don't think that that's going to happen more and more, like same thing with the RAM. I can't just download random stuff. North Korea, I can't go and download stuff arbitrarily out of North Korea. And so, we're already seeing these pieces, like little bits and bytes of vulcanization trying to somewhat frequently disables chunks of their internet when they feel like it. So I think if you're not thinking along these lines, when the next war happens and you have some of your assets sitting on the other side of the wall, or other side of the border, the conflict zone, which we have seen in the case of Russia, we had companies that had people in Ukraine and people in Russia that they were employing, and all of a sudden they hate each other and they're trying to hack each other and do horrible things. So, you kind of have to think about the world stage and where your assets are. At least I think that's the way things are. DR's Becky Bracken: That is very interesting. I've learned so much. Now, do you feel like you're gonna pick this project back up or do you still not feel like the time has arrived for you to re-engage? Robert "RSnake" Hansen: Like I said, that last bullet was really demonstrative of me that the industry is not ready for it. Now, if you remove the last bullet, think it would be, think the vast majority of people would sail through. They would just sign it just because they don't want to seem like the kind of person who doesn't sign it. But really, I think that's a half-measure because I think that last one, despite being the most contentious, is possibly the most important to some degree.  DR's Becky Bracken: Yeah, it almost seems like petty double dealing over, you know, sort of an existential decision. Robert "RSnake" Hansen: Right, like one is a little bad for your company perhaps and the other is a lot bad potentially for the whole of whatever nation you live in. So, I'm not saying that someone else shouldn't, hell, I think you guys should do it, that'd be great. But I think that for me, that last bullet was sort of the bullet in my desire to continue that project. DR's Becky Bracken: Yeah, well, I want to thank you so much for sharing your perspective with us today. It really opened up more questions that I have. Yeah, let's definitely not make this the end of this conversation. And I really appreciate you choosing Dark Reading to come and share your perspective. Robert "RSnake" Hansen: Thanks, Becky. DR's Becky Bracken: All right, well this has been Dark Reading Confidential, a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. Thank you Robert "RSnake" Hansen. Thank you to everybody in the audience. We'll see you next time. Bye bye. Read more about: CISO Corner About the Author Dark Reading Editorial Team The Dark Reading Editorial Team consists of Kelly Jackson Higgins, Fahmida Y Rashid, Tara Seals, Rob Wright, Becky Bracken, Alex Culafi, Arielle Waldman, and Kristina Beek. Among us, we have over 99 years of experience covering cybersecurity. That's pretty striking considering the industry hasn't even been around that long.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed More Webinars You May Also Like CYBERSECURITY OPERATIONS Hand CVE Over to the Private Sector by Brian Martin JAN 27, 2026 CYBERSECURITY OPERATIONS China Imposes One-Hour Reporting Rule for Major Cyber Incidents by Robert Lemos, Contributing Writer OCT 01, 2025 CYBERSECURITY OPERATIONS CISA, FBI, NSA Warn of Chinese 'Global Espionage System' by Alexander Culafi AUG 28, 2025 CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 25, 2026
    Archived
    Jun 25, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗