It is not a public problem yet. But according to multiple experts, it will be.\u201cIt\u201d is the cybersecurity whistleblower \u2013 an employee who sees a flaw, or flaws, in his or her company\u2019s network security, brings the problem to management but gets ignored or punished \u2013 marginalized, harassed, demoted or even fired.And then the worker either goes public or files a complaint with a federal regulatory agency like the Securities and Exchange Commission (SEC).Such a scenario is unlikely to end well \u2013 almost certainly for the company (if the complaint is credible) and perhaps even for the whistleblower, notwithstanding laws meant to protect them.The company could face fines and other regulatory actions. The employee, who in some cases could be rewarded (the SEC offers 10 percent to 30 percent of a settlement of more than $1 million to \u201cqualifying\u201d whistleblowers), still might find it damaging to a career.[ ALSO ON CSO: Whistleblowers at risk when using US government websites ]\u201cThink about it. If you were someone classified as a whistleblower, it would label you unemployable,\u201d said one expert who declined to speak for attribution.Another expert, who also declined to speak for attribution, said when he refused to certify that his previous employer was meeting a certain security standard, \u201cI got warned, and eventually resigned. It became a hostile work environment.\u201dHe has never spoken about it to regulators or other outside authorities either.Eddie Schwartz, international vice president of ISACA and president of WhiteOps, said he knows of a case where a nation-state hack occurred and an employee reported it to his superiors.\u201cHe was told to mind his business and that the organization was dealing with it. It wasn\u2019t, and when he reported it to authorities, he was essentially fired for it,\u201d Schwartz said.(Whistleblowers) can seek assistance through other authorities if that\u2019s warranted, but there is no one size fits all for these types of situations.So the predicted increase in cybersecurity whistleblower cases is somewhat speculative at the moment, in part due to secrecy. There are no public cases involving them on record so far, even though most businesses have had an online presence for two decades or even longer.They do exist, according to Debra Katz, a founding partner at Katz, Marshall & Banks. She said her firm has represented about a dozen such whistleblowers, but those cases were, \u201csettled in the pre-litigation stage and contain robust confidentiality provisions.\u201d In other words, they are not public.A second reason for a lack of clarity is that it remains a relatively new legal field. \u201cAll federal agencies \u2013 not just the SEC \u2013 are playing catch-up to align their policies with the seriousness of cybersecurity threats,\u201d Katz said.All federal agencies \u2013 not just the SEC \u2013 are playing catch-up to align their policies with the seriousness of cybersecurity threats.That means there is not much legal history, precedent or even laws that specifically addresses cybersecurity whistleblowers.While there are nearly two dozen laws in various states that provide protection for whistleblowers in areas ranging from asbestos to drinking water, solid waste, railroads, motor vehicles, shipping containers, pipelines aviation, consumer products, hazardous waste, food, drugs and more, there is nothing on the books that provides specific protection for those involved with cybersecurity.Still, attorneys like Katz, who specialize in whistleblower cases, say top management in organizations may need to play catch-up as well, since such cases could lead to damaging breaches or an investigation by a regulatory agency \u2013 or both.And while legal protections may not be explicit for cybersecurity whistleblowers, they exist by implication, experts say. Lance Hayden, managing director at the Berkeley Research Group and a CSO contributor, is one of several who have cited a\u00a0settlement last September between the SEC and R.T. Jones Capital Equities Management over charges that the firm\u2019s violation of the \u201csafeguards rule\u201d led to a breach that compromised the information of about 100,000 people.While the firm did not have to admit to the charges, it agreed to a censure by the SEC and to pay a $75,000 fine.There was no documented evidence of whistleblower involvement in the case, but Hayden\u00a0wrote that it became, \u201ca sort of catalyst,\u201d for the SEC to focus on cybersecurity.He quoted SEC Commissioner Kara Stein saying after the R.T. Jones settlement that the agency intends \u201c...to play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues \u2026\u201dDallas Hammer, an attorney with Zuckerman Law, writing for the National Law Review,\u00a0said the R.T. Jones case indicates that, \u201ccybersecurity issues have become a key enforcement priority for the SEC,\u201d which means that, \u201cin turn, whistleblower tips that touch on cybersecurity may receive additional scrutiny.\u201d\t\t\t\t\t\t\t\t\t\t\t\tAnd Katz\u00a0wrote last fall that, \u201cfor public companies and other entities regulated by the Securities and Exchange Commission, mismanagement of their cybersecurity could violate securities laws.\u201dShe noted that the Dodd-Frank Act established an SEC Whistleblower Program that, while it does not specifically address cybersecurity, could still lead to an enforcement action if a company is out of compliance with compliance requirements.But those implications come with qualifications \u2013 both Hammer and Katz tempered their conclusions with words like \u201cmay\u201d and \u201ccould\u201d rather than \u201cwill.\u201dAriel Silverstone, a consulting chief security and privacy officer, doesn\u2019t think the qualifications are necessary. Since the SEC\u2019s whistleblower program language doesn\u2019t exclude cybersecurity, it is therefore included, he said.[ MORE ON CSO: Changing the whistleblower-retaliation culture ]Still, all those involved say it is impossible to make blanket statements about the topic since it is not a simple, black-and-white issue.Derek Brink, vice president and research fellow at Aberdeen Group, noted what every security expert says \u2013 that there is no such thing as 100 percent security \u2013 so therefore the role of security professionals is, \u201cto help the company manage its security-related risks to an acceptable level.\u201dIf a company is ignoring a clear regulatory or legal directive \u2013 such as R.T. Jones\u2019s failure to enforce the \u201csafeguards rule\u201d that sets standards for the protection of customer information \u2013 that would make it a relatively easy call.But, Brink said, if it comes down to a disagreement over what level of risk management is acceptable, it is much less clear.\u201cThe key point is that the security professionals don\u2019t own the risk,\u201d he said. \u201cThe business leaders own it. So it\u2019s the job of the security professionals to advise and recommend, but it\u2019s the job of the business leaders to decide.\u201dAnd if it comes down to a difference of opinion about the proper level of risk management, he said there is no legitimate whistle to blow.Anton Chuvakin, research vice president, security and risk management at Gartner for Technical Professionals, agreed. A crime or clear regulatory violation is one thing, but, \u201cin most cases, abysmal security is not a crime, so it would be hard to qualify him or her as a whistleblower,\u201d he said.In most cases, abysmal security is not a crime, so it would be hard to qualify him or her as a whistleblower.Schwartz said any prudent organization will take cybersecurity seriously, and therefore investigate any concerns raised by employees. But he said it is important for workers to express those concerns through the chain of command first.If there is no response, or a hostile response, \u201cthey can seek assistance through other authorities if that\u2019s warranted, but there is no one size fits all for these types of situations.\u201dKatz didn\u2019t want to make blanket statements either. For a whistleblower to be protected, the complaint would likely have to be about a failure to comply with legal or regulatory requirements, she said.\u201cIn addition to the SEC, the FCC (Federal Communications Commission) and the FTC (Federal Trade Commission) are also enforcing lax cybersecurity standards,\u201d she said, adding that, \u201cthere may be parts of the recent Cybersecurity Information Sharing Act (CISA) on which whistleblowers can rely.\u201dBut broadly speaking, she said, what qualifies as a legitimate complaint by a cybersecurity whistleblower, \u201cis still being sorted out.\u201dIt would seem obvious that the way for organizations to avoid all this potential trouble is to take cybersecurity seriously.But security initiatives can be complicated and expensive, and in a hypercompetitive world where it is crucial to limit expenses, that is not always the case.It should be, however, according to Rich Mogull, who is both analyst and CEO at Securosis. He is blunt about it. \u201cIf a problem is reported you fix it. Full stop,\u201d he said. \u201cThat\u2019s how security needs to be handled. If someone had to go around supervisors to get something taken care of, then it\u2019s time for a deeper investigation into what went wrong and why someone had to blow a whistle to get an issue resolved, vs. handling it through normal channels.\u201dSilverstone said he encourages employees to report any perceived flaws in security, in the same way they should report safety or harassment. He said he even makes it part of an employee policy handbook. \u201cI encourage them to be adamant about it,\u201d he said, adding that in his experience, virtually all those who brought concerns to him were well intentioned.\u201cThere are very few who abuse the system,\u201d he said. \u201cI only remember one person who wasn\u2019t telling the truth.\u201dStill, for those who don't work for the government or who have union protections, going outside management to blow the whistle on a security problem is risky, even if a complaint is upheld.Stronger laws might help, said the anonymous expert who resigned rather than falsely certify compliance, and didn\u2019t blow the whistle. \u201cOur economy is built in such a way that the employer has the upper hand. Nothing good will come of it,\u201d he said.