But even AdLeaks isn't a foolproof solution. For one thing, because it leaks only a small piece of information each time, the process may take weeks to complete. And because AdLeaks is a research project, the system is still considered part of an experimental research product line. Professor Volker Roth of Freie Universitat (Free University) in Berlin, who is spearheading the project, says, "We cannot guarantee the security of any submissions, and we do not have the organization to handle whatever would be submitted to us."
Joining the executive ranks
As whistleblowing technologies continue to multiply and mature, Ponemon says there's an attitudinal change afoot in IT departments that could spur greater openness among technology professionals. "People who work in the security trenches or in IT who are not supervisory level or above often feel as if no one is going to listen to them even if they do see a problem," he says.
It's a difficulty that Walton says she faced when she was a database administrator. "Between the business and the IT department, there was just a real kind of disconnect on the severity of the [data security] issue," she recalls. "That can happen a lot in business.... A CIO has to be very good at explaining the technical side and the risks. That's what was missing all those years ago."
But that's changing as the role of a technology professional is slowly being redefined in the face of growing responsibility. For example, "more chief security officers are being elevated to a higher level," says Ponemon. "Companies want a person not to just be a technician but to be part of the governance solution. They want people to own the responsibility and accountability, which basically gives the CSO more power."
Greater purpose, more processes
With greater power comes the need for more formal processes that identify the steps IT professionals should take when they detect misconduct. Consider, for example, the recent controversy surrounding the U.S. Department of Veterans Affairs. Whistleblowers have stepped forward accusing the department of tweaking computer systems to make it appear that veterans waiting weeks for medical appointments had no wait time at all.
"The issue for IT folks is what do they do?" says Lewis. "Do they go and tell their boss that the software is under-reporting waits? Absolutely -- that would be a responsible thing to do. But what if their boss says, 'Don't tell me about it, I don't want to know.' What do they do then? That's where you have to make one of these decisions about how much stress you want in your life. It might work out really well, but you are taking a risk."
Sign up for CIO Asia eNewsletters.