As a CISO or cybersecurity leader, are there special considerations or concerns when adapting the need to be a whistleblower?
Sort by:
Appreciative of the common guidance here that cybersecurity leaders need to be especially thorough when it comes to leaping forward to whistleblower claims. This seems to present a double edged sword for cybersecurity leaders especially - in a sense "with greater access to secure information, comes greater responsibility to document and exhaust all options..."
Aside from Harry pointing out what's being hurled at Peiter Zatko - - Joe Sullivan (fmr. Uber, Chief of Security) is in the news as being the first to be held *personally* responsible for an alleged data breach... at the very least personal legal bills should then be a concern for security chiefs... if you're going to do what's right - make sure it is!
Have to just follow the process and report. Have to take the hat off as a CISO or cybersecurity leader, and think as a employee at that time and do what is right!
I fully agree with the remarks made by Harry Long about being extremely thorough and exhausting all options before making the step of becoming a whistle-blower. In my mind, the level of intimacy that a Ciso will have to develop with her / his organization makes it extremely difficult to ever cross that line.
On the positive side; I'd like to think that the same position will grant a unique access to the people who are in a position to make changes. Whether this will be colleagues in upper management, or even members of the board.
This is a pretty powerful position a Ciso has, and I would be hard-pressed to come up with examples where additional external help is needed.
Nothing is impossible, but the bar is very high!
As the cybersecurity leader you have a responsibility to report, and often not just report but also respond to cybersecurity concerns. As a member of the leadership and management you should always first follow the established channels (as well as official policies, procedures and processes) for reporting problems up the chain. Only once you've done so should you consider becoming a whistleblower. If you decide that you need to become a whistleblower you should recognize that though organizational whistleblower policies may provide for anonymity (at least initially) as well as protection from retaliation, you should make certain that everything you do must now be beyond reproach, but even so this may still be the end of your position as the organization may still be able to find grounds to terminate or re-assign you.
If you decide to become a whistleblower make certain that you are on solid legal and policy grounds, that you have a legitimate issue to become a whistleblower regarding and that you have collected solid evidence which proves your case.
Don't quit your job except as a last resort.
Also, be aware that after you leave the organization (either willingly or not) you may face condemnation by those who feel that you should have made a bigger effort to raise the issue while you were still in the organization and position. Some may feel that you are now being opportunistic and/or looking for the whistleblower's financial reward.
Several of these (and other ...) types of slights have been hurled at Peiter "Mudge" Zatko, the former head of Security at Twitter recently by some-- but these appear antithetical to Zatko's well-known honesty and ethics.
I have a commitment to report anything out of the ordinary, especially if it's something illegal.