As a CISO or cybersecurity leader, are there special considerations or concerns when adapting the need to be a whistleblower?

873 views1 Upvote6 Comments

Principal Information Security Officer in Education, 10,001+ employees
As the cybersecurity leader you have a responsibility to report, and often not just report but also respond to cybersecurity concerns.  As a member of the leadership and management you should always first follow the established channels (as well as official policies, procedures and processes) for reporting problems up the chain.  Only once you've done so should you consider becoming a whistleblower.  If you decide that you need to become a whistleblower you should recognize that though organizational whistleblower policies may provide for anonymity (at least initially) as well as  protection from retaliation, you should make certain that everything you do must now be beyond reproach, but even so this may still be the end of your position as the organization may still be able to find grounds to terminate or re-assign you.

If you decide to become a whistleblower make certain that you are on solid legal and policy grounds, that you have a legitimate issue to become a whistleblower regarding and that you have collected solid evidence which proves your case.

Don't quit your job except as a last resort.  

Also, be aware that after you leave the organization (either willingly or not) you may face condemnation by those who feel that you should have made a bigger effort to raise the issue while you were still in the organization and position.    Some may feel that you are now being opportunistic and/or looking for the whistleblower's financial reward.   

Several of these (and other ...) types of slights have been hurled at Peiter "Mudge" Zatko, the former head of Security at Twitter recently by some-- but these appear antithetical to Zatko's well-known honesty and ethics.

Director of Information Security in Manufacturing, 1,001 - 5,000 employees
I fully agree with the remarks made by Harry Long about being extremely thorough and exhausting all options before making the step of becoming a whistle-blower.   In my mind, the level of intimacy that a Ciso will have to develop with her / his organization makes it extremely difficult to ever cross that line.    
On the positive side; I'd like to think that the same position will grant a unique access to the people who are in a position to make changes.  Whether this will be colleagues in upper management, or even members of the board.   
This is a pretty powerful position a Ciso has, and I would be hard-pressed to come up with examples where additional external help is needed.
Nothing is impossible, but the bar is very high!  
Director, Strategic Security Initiatives in Software, 10,001+ employees
Have to just follow the process and report. Have to take the hat off as a CISO or cybersecurity leader, and think as a employee at that time and do what is right!
Community User in Services (non-Government), 10,001+ employees
Appreciative of the common guidance here that cybersecurity leaders need to be especially thorough when it comes to leaping forward to whistleblower claims. This seems to present a double edged sword for cybersecurity leaders especially - in a sense "with greater access to secure information, comes greater responsibility to document and exhaust all options..."  

Aside from Harry pointing out what's being hurled at Peiter Zatko - - Joe Sullivan (fmr. Uber, Chief of Security) is in the news as being the first to be held *personally* responsible for an alleged data breach... at the very least personal legal bills should then be a concern for security chiefs... if you're going to do what's right - make sure it is!  
Director, Information Security Engineering and Operations in Manufacturing, 5,001 - 10,000 employees
I have a commitment to report anything out of the ordinary, especially if it's something illegal. 
CISO in Education, 5,001 - 10,000 employees
I think that the considerations are identical regardless of the role/position of the whistleblower themselves. Whether you’re an administrative assistant or the VP, there are always sensitivities and ethics that must be addressed. Your organization should have a defined path for whistleblowers, so that you don’t have to put employees in the very difficult position trying to figure out how to do so anonymously, or without fear of retribution.
If your organization is conducting business in a legal and ethical manner, you should be ENCOURAGING employees to be whistleblowers if they feel it’s necessary. This empowers the (quality) employees to take some ownership in their own processes, and discourages fraudsters. (Which then increase morale- which increases production - increases profits, reduces employee churn rate, reduces liabilities due to fraud….)
The organization should have very specific policies drafted and reviewed - by lawyers or ethics officials- that can be disseminated among employees that lay out the hows, whens, why’s and methods to do so.

Content you might like

Important solution for today’s way of working52%

Interesting idea to explore for 202242%

Not necessary6%


978 views1 Upvote1 Comment





Crisis management23%

Personal accountability23%



Continuous learning14%



Relationship management10%


Other (please specify)0%



Chief Technology Officer in Software, 51 - 200 employees
My personal experience. 

I usually get the feedback and go back with data driven analysis providing details to cross leaders to understand the context and make decision basis data and and not gut feeling. 
Read More Comments
1.6k views2 Comments