Derek Brink, vice president and research fellow at Aberdeen Group, noted what every security expert says – that there is no such thing as 100 percent security – so therefore the role of security professionals is, “to help the company manage its security-related risks to an acceptable level.”
If a company is ignoring a clear regulatory or legal directive – such as R.T. Jones’s failure to enforce the “safeguards rule” that sets standards for the protection of customer information – that would make it a relatively easy call.
But, Brink said, if it comes down to a disagreement over what level of risk management is acceptable, it is much less clear.
“The key point is that the security professionals don’t own the risk,” he said. “The business leaders own it. So it’s the job of the security professionals to advise and recommend, but it’s the job of the business leaders to decide.”
And if it comes down to a difference of opinion about the proper level of risk management, he said there is no legitimate whistle to blow.
Anton Chuvakin, research vice president, security and risk management at Gartner for Technical Professionals, agreed. A crime or clear regulatory violation is one thing, but, “in most cases, abysmal security is not a crime, so it would be hard to qualify him or her as a whistleblower,” he said.
Schwartz said any prudent organization will take cybersecurity seriously, and therefore investigate any concerns raised by employees. But he said it is important for workers to express those concerns through the chain of command first.
If there is no response, or a hostile response, “they can seek assistance through other authorities if that’s warranted, but there is no one size fits all for these types of situations.”
Katz didn’t want to make blanket statements either. For a whistleblower to be protected, the complaint would likely have to be about a failure to comply with legal or regulatory requirements, she said.
“In addition to the SEC, the FCC (Federal Communications Commission) and the FTC (Federal Trade Commission) are also enforcing lax cybersecurity standards,” she said, adding that, “there may be parts of the recent Cybersecurity Information Sharing Act (CISA) on which whistleblowers can rely.”
But broadly speaking, she said, what qualifies as a legitimate complaint by a cybersecurity whistleblower, “is still being sorted out.”
It would seem obvious that the way for organizations to avoid all this potential trouble is to take cybersecurity seriously.
But security initiatives can be complicated and expensive, and in a hypercompetitive world where it is crucial to limit expenses, that is not always the case.
It should be, however, according to Rich Mogull, who is both analyst and CEO at Securosis. He is blunt about it. “If a problem is reported you fix it. Full stop,” he said. “That’s how security needs to be handled. If someone had to go around supervisors to get something taken care of, then it’s time for a deeper investigation into what went wrong and why someone had to blow a whistle to get an issue resolved, vs. handling it through normal channels.”
Sign up for CIO Asia eNewsletters.