• United States




What’s your cybersecurity whistleblower strategy?

Jan 05, 20165 mins
ComplianceData BreachGovernment

Regulators and attorneys are growing more interested in cybersecurity accountability. One likely outcome of this interest is an increase in cybersecurity whistleblower cases. This means every organization needs to rethink how to handle internal and external security problem reporting.

Credit: Thinkstock

It reads like a security nightmare. An employee, maybe even someone in IT, contacts a government regulator and reports major vulnerabilities in the company’s infrastructure. The employee says the company knows about the problems but has done nothing, putting people’s personal data or maybe even their physical safety at risk.

Even worse, the whistleblower claims to have been punished for complaining too much to management about the problems. An investigation ensues, forcing the company to hire attorneys and consultants, and the regulator levies a hefty fine when several accusations prove accurate. Finally, the whistleblower is given a portion of that judgement, financially rewarded for exposing their employer’s dirty laundry.

When I discuss this scenario with other security professionals, many see it as a classic case of insider threat. The fictive whistleblower is blasted as unprofessional, spiteful, a traitor even. That reaction may be understandable, but it is increasingly misinformed and dangerous. Whistleblowers will be coming to cybersecurity, and a strategy built around blaming and demonizing them will actually make things much worse.

In 2015, the Securities and Exchange Commission (SEC) settled charges that R.T. Jones Capital Equities Management violated the “safeguards rule” by not doing more to prevent a security breach that compromised the information of about 100,000 people. Even though no one appeared to be harmed, the SEC censured R.T. Jones and fined the firm $75,000. Justifying the enforcement, the SEC said,

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The security community has not really considered whistleblower risks, which is somewhat surprising given an ongoing parade of large public breaches, and the common knowledge that many organizations do a poor job of securing their systems and data. Though there seems to be no whistleblower involvement in the R.T. Jones case, it has been a sort of catalyst. In response to lawmaker pressure to crack down on companies that fail to prevent breaches, Kara Stein, the SEC Commissioner, was quoted after the settlement saying her agency intended “ play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues in a world in which we are all increasingly connected.”

Effective enterprise security is not yet formally synonymous with ethical corporate behavior. When security professionals discuss ethics, the tone can be somewhat ambiguous or focused on certification requirements rather than engaging the deeper question of whether companies have an ethical duty to make security work properly. If companies have such a duty, the calculus changes. Neglecting or underfunding security is no longer just a business decision, but has ethical repercussions as well.

So maybe it should come as no surprise that regulators and other entities, like law firms, are thinking about the possibilities of cybersecurity whistleblowers. The R.T. Jones settlement was relatively small, but the fine seemed to be less important than the precedent. Reactions and interpretations from the case should be a wake-up call for security professionals, compliance officers, and organizations in general.

Attorneys, for instance, have become interested in the implications of the R.T. Jones settlement. Although no recent public breaches are known to involve whistleblower complaints, lawyers seem to smell opportunity. Some now offer to help whistleblowers expose security problems, particularly if they’ve had trouble reporting them internally. Others offer legal services for companies dealing with investigations or lawsuits. Many see the market for these services only getting bigger.

“It is only a matter of time…before we see a headline announcing that a hacked company knew about its vulnerabilities yet did nothing to protect its customers, but instead fired the whistleblower who identified and sought to fix the problem.”

The SEC regulates financial firms, and runs its own whistleblower program. But whistleblower programs also exist in the automotive industry, healthcare, and government, all sectors where security breaches have made major headlines, from Jeep hacking to medical privacy to the OPM.

Cybersecurity has remained esoteric enough to avoid direct connection to cases of corporate fraud or product liability. But embedded software and the growing Internet of things will increasingly make those distinctions weaker and less convincing. Future security stakeholders may be less able to disassociate their actions from direct consequences and personal responsibility. Could a developer be more motivated to report, believing their firm’s software product might harm or even kill someone? Might a fired CISO launch a wrongful termination suit against an employer, claiming a failure to provide adequate security resources prior to a breach? These are the dilemmas that create whistleblowers.

So what’s a rational cybersecurity whistleblower strategy? The only effective way to manage the risk is to develop a culture that actively embraces those whistleblowers. You must motivate people to report problems within the enterprise. Research shows that most whistleblowers are not disgruntled employees acting out of greed or spite, but good workers (often managers) honestly trying to fix problems they believe will cause people or the company harm. They go outside because they worry no one is listening inside or, worse, that management will “shoot the messenger” and retaliate against them.

But a cyber hotline or a beefed-up security awareness program means nothing if the organization doesn’t move quickly to fix reported problems. Ironically, the best whistleblower strategy is for the organization to truly hold itself accountable for identifying and fixing security problems. Imagine an organization where, when people pointed out bad security, senior management took action as quickly and aggressively as if someone reported accounting fraud, safety violations, or sexual harassment? What would security look like in that organization? If nothing else, it would look like a place with far fewer whistles waiting to be blown.


Dr. Lance Hayden, the Chief Privacy and Security Officer for ePatientFinder, is also an author, speaker, and researcher with over 25 years experience in the field of information security. A leading expert on security behavior and culture, Dr. Hayden is the author of People-Centric Security: Transforming Your Enterprise Security Culture and IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data.

Dr. Hayden began his career as a human intelligence (HUMINT) officer with the CIA, which contributed to a philosophy emphasizing human behavior, organizational psychology, and strategic leadership as central to a successful InfoSec program. Dr. Hayden's career includes security roles at KPMG, FedEx, Cisco, and the Berkeley Research Group before joining ePatientFinder, where he has executive responsibility for all enterprise data protection and security-related regulatory compliance.

Dr. Hayden received his Ph.D. in Information Science from the University of Texas at Austin. As a professor at the UT iSchool, Dr. Hayden develops and teaches graduate and undergraduate courses on subjects including information security, privacy, surveillance and the intelligence community. His industry credentials include CISSP, CISM, CRISC and ISO 27001 Certified Lead Auditor certifications.

The opinions expressed in this blog are those of Lance Hayden and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.