Should the CISO protect the organization against whistleblowers?

504 views6 Comments

CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Not without guidance from your legal department. There are serious legal and regulatory considerations specifically against whistleblower backlash that can incur serious penalties. This is really a legal question, not a CISO-driven decision.
CISO in Software, 501 - 1,000 employees
I think CISOs should create a culture where it's not whistle-blowing, it's just reporting security events.

CISO in Healthcare and Biotech, 2 - 10 employees
No, rather the culture of the organization should be one that actively supports the reporting and corrective response to items that without positive action, would result in whistleblowing activity.  If the reported issues touch security, they should be brought to the CISO for review, and changes made to either reduce or eliminate that risk to the company, the brand, and the people involved.
CISO in Software, 201 - 500 employees
I agree with   ... its more about the culture than the repercussions, when reporting security incidents is associated with a positive stroke of making the organization more secure, the act of reporting is rewarded when appropriate action is taken. It makes the company as a whole more secure. It works better in the long term. What is essential is to establish formal well defined reporting mechanisms that maintain anonymity (if required) and enable corrective action. 
CISO in Finance (non-banking), 10,001+ employees
Actually not and it depends on the incident which is impacting the organization and ideally controlling or responding to this part lies with Human resources teams and Legal and Compliance Teams of the organization when it comes to address incidents or events which are not information security related.  In most of the regulated organizations, whistler blower committee are being formed to tackle this matter and members Business heads, Control function heads and Departments heads including CISOs.  

However when it comes to reporting any security incidents or business frauds occurs of because of Information or Cyber Security glitches then CISOs role come into the picture and to safeguard the organization information from breach and other related matters.  Security Incidents must be treated like incidents not a whistle blower incident as reporting of security incidents to concern authority is everyone responsibility including internal and external users.  
Vice President Information Technology in Finance (non-banking), 201 - 500 employees
No, CISO should create an environment where security incident and corrective actions are reported on timely basis.

Content you might like

Yes (share use cases in the comments)22%


Not yet / maybe in the future16%



Analytics developers24%

Business analysts35%

Business consumers38%

Data analysts53%

Data engineers30%

Data scientists28%

Data stewards11%

Database administrators (DBAs)12%

Integration architects9%

ML and AI engineers19%


Nowhere, we aren't adding new GenAI capabilities3%



Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
9k views26 Upvotes59 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.3k views131 Upvotes319 Comments