Cybersecurity whistleblowers: Get ready for more

It is not a comfortable topic – virtually all cases involving a cybersecurity whistleblower have ended with a confidential settlement. But experts, and lawyers, say that in an increasingly connected world, those cases are bound to increase

1 2 Page 2
Page 2 of 2

And Katz wrote last fall that, “for public companies and other entities regulated by the Securities and Exchange Commission, mismanagement of their cybersecurity could violate securities laws.”

She noted that the Dodd-Frank Act established an SEC Whistleblower Program that, while it does not specifically address cybersecurity, could still lead to an enforcement action if a company is out of compliance with compliance requirements.

But those implications come with qualifications – both Hammer and Katz tempered their conclusions with words like “may” and “could” rather than “will.”

Ariel Silverstone, a consulting chief security and privacy officer, doesn’t think the qualifications are necessary. Since the SEC’s whistleblower program language doesn’t exclude cybersecurity, it is therefore included, he said.

[ MORE ON CSO: Changing the whistleblower-retaliation culture ]

Still, all those involved say it is impossible to make blanket statements about the topic since it is not a simple, black-and-white issue.

Derek Brink, vice president and research fellow at Aberdeen Group, noted what every security expert says – that there is no such thing as 100 percent security – so therefore the role of security professionals is, “to help the company manage its security-related risks to an acceptable level.”

If a company is ignoring a clear regulatory or legal directive – such as R.T. Jones’s failure to enforce the “safeguards rule” that sets standards for the protection of customer information – that would make it a relatively easy call.

But, Brink said, if it comes down to a disagreement over what level of risk management is acceptable, it is much less clear.

“The key point is that the security professionals don’t own the risk,” he said. “The business leaders own it. So it’s the job of the security professionals to advise and recommend, but it’s the job of the business leaders to decide.”

And if it comes down to a difference of opinion about the proper level of risk management, he said there is no legitimate whistle to blow.

Anton Chuvakin, research vice president, security and risk management at Gartner for Technical Professionals, agreed. A crime or clear regulatory violation is one thing, but, “in most cases, abysmal security is not a crime, so it would be hard to qualify him or her as a whistleblower,” he said.


Anton Chuvakin, research vice president, security and risk management, Gartner for Technical Professionals

Schwartz said any prudent organization will take cybersecurity seriously, and therefore investigate any concerns raised by employees. But he said it is important for workers to express those concerns through the chain of command first.

If there is no response, or a hostile response, “they can seek assistance through other authorities if that’s warranted, but there is no one size fits all for these types of situations.”

Katz didn’t want to make blanket statements either. For a whistleblower to be protected, the complaint would likely have to be about a failure to comply with legal or regulatory requirements, she said.

“In addition to the SEC, the FCC (Federal Communications Commission) and the FTC (Federal Trade Commission) are also enforcing lax cybersecurity standards,” she said, adding that, “there may be parts of the recent Cybersecurity Information Sharing Act (CISA) on which whistleblowers can rely.”

But broadly speaking, she said, what qualifies as a legitimate complaint by a cybersecurity whistleblower, “is still being sorted out.”

It would seem obvious that the way for organizations to avoid all this potential trouble is to take cybersecurity seriously.

But security initiatives can be complicated and expensive, and in a hypercompetitive world where it is crucial to limit expenses, that is not always the case.

It should be, however, according to Rich Mogull, who is both analyst and CEO at Securosis. He is blunt about it. “If a problem is reported you fix it. Full stop,” he said. “That’s how security needs to be handled. If someone had to go around supervisors to get something taken care of, then it’s time for a deeper investigation into what went wrong and why someone had to blow a whistle to get an issue resolved, vs. handling it through normal channels.”

Silverstone said he encourages employees to report any perceived flaws in security, in the same way they should report safety or harassment. He said he even makes it part of an employee policy handbook. “I encourage them to be adamant about it,” he said, adding that in his experience, virtually all those who brought concerns to him were well intentioned.

“There are very few who abuse the system,” he said. “I only remember one person who wasn’t telling the truth.”

Still, for those who don't work for the government or who have union protections, going outside management to blow the whistle on a security problem is risky, even if a complaint is upheld.

Stronger laws might help, said the anonymous expert who resigned rather than falsely certify compliance, and didn’t blow the whistle. “Our economy is built in such a way that the employer has the upper hand. Nothing good will come of it,” he said.

This story, "Cybersecurity whistleblowers: Get ready for more" was originally published by CSO.


Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful companies in enterprise networking 2022