As I perused (translated: tried to catch up with my backlog of magazines and other never-ending periodicals) the reading material on my desk, I came across a Join the Discussion conversation in the July/August issue of CSO. The topic? Does security need whistle-blowers?
The premise of the initial comments was indecision about the need for security professionals to be able to report business decisions that put PII and ePHI at risk. Without, of course, the danger of management retribution. The blogger who posted this, Bob Bragdon, ended his piece with:
The problem really boils down to this: If people on the inside know there is a problem that can cause "substantial harm or inconvenience" to customers if their privacy was to be breached, and the company refuses to do anything about it, isn't it in the best interests of society to have someone jump in and force the issue. Maybe. Maybe not. I'm still not sure...and then I remember that some of my financial data is probably flying around on the servers at TJX. Is yours?
Source: Join the Discussion, CSO Magazine, July/August 2008, p. 6
I think this discussion missed some fundamental issues. For example, deciding whether to report company negligence is an ethical challenge. Regardless of protection provided by whistle-blower laws, reporting your company to regulatory agencies or the press will negatively impact your professional future at the offending organization. You will never be viewed in the same way by peers, managers, or those who report to you. But this is always the case when a company does something that is legally or morally wrong.
Employees have four choices after identifying what they believe to be company misconduct.
- They can keep quiet, hoping for the best, and forget about the problem.
- They can incessantly complain about it to management, which over time carries its own consequences.
- They can find other employment, followed by reporting the problems or just getting on with their careers.
- They can stay, report the negligent or illegal behavior and weather the inevitable storm.
Which of these a person chooses is often influenced by financial obligations, family responsibilities, career goals and objectives, and many other considerations unique to that individual.
And there is one more thing to consider. Deciding what security controls to apply is not an exact science. It's based on risk assessments, management's understanding of potential business impact, and how risk averse the company is. Decisions about what constitutes reasonable and appropriate controls are often subjective, frequently accompanied by Security team disagreement. However, this doesn't necessarily mean the company is negligent or unethical. One of the most important things to consider before blowing the whistle is whether the problem is the actual existence of unreasonable risk or a simple difference in perspective.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.