What's that saying that's used to justify spying on everyone? "If you have nothing to hide then you have nothing to fear".
You can't divorce security from ethics, because so much of security does not make everyone safer, it often makes a small group safer from the public, and that may not be in the public interest. Security against viruses is good for everyone but the few who want to use viruses to the detriment of the infected. Security against "pirates" is much more controversial, as "pirates" too often means everyone else. MS tried propaganda and strong arm tactics to pass off Windows Genuine Advantage as security for users. That was an insult to our intelligence, and a lie. Worse were Sony's music CDs with the root kit. I wonder if any of the leaked info has details about that, perhaps puts names to the people who decided make Sony's own CDs help spread viruses, including their own? With tax season around the corner, and Turbo Tax in the news again for anti-social behavior, the stunt they pulled a decade ago is worth mentioning again. Their "security" measures in their software screwed with the boot sector of their users' hard drives, risking the loss of all their users' data, in order to "protect" their software from piracy with, once again, DRM that does not work.
If you're a security expert, what do you do when you're asked to help cover something up, something that may be criminal and/or dangerous? Or, you're asked to use your knowledge to help make everyone less secure, by, for example, designing a root kit for music CDs? Blow the whistle, or follow orders? Whichever way you go could be trouble. Lose your career because no one wants to hire a whistleblower, and the government does a bad job of protecting whistleblowers, or lose your freedom when you are implicated in the cover up and sent to prison for it? Maybe you can blow the whistle without blowing your cover. No one was sure who Deep Throat was until long after Watergate. For the example of the root kit on the music CDs, you might make a judgment call. You would understand that this is a variation of DRM that will still be ineffective, the root kit is a clumsy idea, and therefore is unlikely to do much damage to the public. The outcome can only be what actually did happen, which is that the root kit was soon noticed and the only harm of significance was self inflicted harm when Sony lost much trust and was forced to recall all the infected CDs. So, your best course of action was likely some form of CYA, documents that you warned management that the root kit was a very bad idea, and that you were going ahead with it only under protest. You could still be blamed and fired of course. Maybe management will believe the root kit would have worked if not for your "treachery" in deliberately doing an incompetent job, despite any words anyone else tells them to the contrary.