What’s your cybersecurity whistleblower strategy?

It reads like a security nightmare. An employee, maybe even someone in IT, contacts a government regulator and reports major vulnerabilities in the company’s infrastructure. The employee says the company knows about the problems but has done nothing, putting people’s personal data or maybe even their physical safety at risk.

Even worse, the whistleblower claims to have been punished for complaining too much to management about the problems. An investigation ensues, forcing the company to hire attorneys and consultants, and the regulator levies a hefty fine when several accusations prove accurate. Finally, the whistleblower is given a portion of that judgement, financially rewarded for exposing their employer’s dirty laundry.

When I discuss this scenario with other security professionals, many see it as a classic case of insider threat. The fictive whistleblower is blasted as unprofessional, spiteful, a traitor even. That reaction may be understandable, but it is increasingly misinformed and dangerous. Whistleblowers will be coming to cybersecurity, and a strategy built around blaming and demonizing them will actually make things much worse.

In 2015, the Securities and Exchange Commission (SEC) settled charges that R.T. Jones Capital Equities Management violated the “safeguards rule” by not doing more to prevent a security breach that compromised the information of about 100,000 people. Even though no one appeared to be harmed, the SEC censured R.T. Jones and fined the firm $75,000. Justifying the enforcement, the SEC said,

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The security community has not really considered whistleblower risks, which is somewhat surprising given an ongoing parade of large public breaches, and the common knowledge that many organizations do a poor job of securing their systems and data. Though there seems to be no whistleblower involvement in the R.T. Jones case, it has been a sort of catalyst. In response to lawmaker pressure to crack down on companies that fail to prevent breaches, Kara Stein, the SEC Commissioner, was quoted after the settlement saying her agency intended “...to play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues in a world in which we are all increasingly connected.”

Effective enterprise security is not yet formally synonymous with ethical corporate behavior. When security professionals discuss ethics, the tone can be somewhat ambiguous or focused on certification requirements rather than engaging the deeper question of whether companies have an ethical duty to make security work properly. If companies have such a duty, the calculus changes. Neglecting or underfunding security is no longer just a business decision, but has ethical repercussions as well.

So maybe it should come as no surprise that regulators and other entities, like law firms, are thinking about the possibilities of cybersecurity whistleblowers. The R.T. Jones settlement was relatively small, but the fine seemed to be less important than the precedent. Reactions and interpretations from the case should be a wake-up call for security professionals, compliance officers, and organizations in general.

Attorneys, for instance, have become interested in the implications of the R.T. Jones settlement. Although no recent public breaches are known to involve whistleblower complaints, lawyers seem to smell opportunity. Some now offer to help whistleblowers expose security problems, particularly if they’ve had trouble reporting them internally. Others offer legal services for companies dealing with investigations or lawsuits. Many see the market for these services only getting bigger.

“It is only a matter of time…before we see a headline announcing that a hacked company knew about its vulnerabilities yet did nothing to protect its customers, but instead fired the whistleblower who identified and sought to fix the problem.”

The SEC regulates financial firms, and runs its own whistleblower program. But whistleblower programs also exist in the automotive industry, healthcare, and government, all sectors where security breaches have made major headlines, from Jeep hacking to medical privacy to the OPM.

Cybersecurity has remained esoteric enough to avoid direct connection to cases of corporate fraud or product liability. But embedded software and the growing Internet of things will increasingly make those distinctions weaker and less convincing. Future security stakeholders may be less able to disassociate their actions from direct consequences and personal responsibility. Could a developer be more motivated to report, believing their firm’s software product might harm or even kill someone? Might a fired CISO launch a wrongful termination suit against an employer, claiming a failure to provide adequate security resources prior to a breach? These are the dilemmas that create whistleblowers.

So what’s a rational cybersecurity whistleblower strategy? The only effective way to manage the risk is to develop a culture that actively embraces those whistleblowers. You must motivate people to report problems within the enterprise. Research shows that most whistleblowers are not disgruntled employees acting out of greed or spite, but good workers (often managers) honestly trying to fix problems they believe will cause people or the company harm. They go outside because they worry no one is listening inside or, worse, that management will “shoot the messenger” and retaliate against them.

But a cyber hotline or a beefed-up security awareness program means nothing if the organization doesn’t move quickly to fix reported problems. Ironically, the best whistleblower strategy is for the organization to truly hold itself accountable for identifying and fixing security problems. Imagine an organization where, when people pointed out bad security, senior management took action as quickly and aggressively as if someone reported accounting fraud, safety violations, or sexual harassment? What would security look like in that organization? If nothing else, it would look like a place with far fewer whistles waiting to be blown.