A very insightful article in Security Week explains the rise of cybersecurity whistleblowers and why corporations would be wise to welcome them with open arms.  It may seem counterintuitive to embrace what many so readily dismiss as rabble-rousers or disgruntled employees getting in the way of business.

But the higher truth, as the most experienced compliance professionals can attest, is that whistleblowers provide a critical early-warning system.  They shine a much-needed light on corporate misbehavior which if not addressed promptly can land a company in a whole lot of trouble.

The Security Week piece points to several recent high-profile cybersecurity whistleblower matters to “confirm the arrival of whistleblowing to cybersecurity.”  They include the now famous whistleblowers at Twitter (Peiter Mudge Zatko) and Facebook (Frances Haugen).

They also include the less high-profile individuals who filed lawsuits under the False Claims Act.  One against Aerojet Rocketdyne, an advanced propulsion and energetics systems developer; and the other against Penn State’s Applied Research Laboratory.  The False Claims Act allows whistleblowers to bring lawsuits on behalf of the government against those committing fraud against the government.  In return, they are entitled to up to 30% of any government recovery.

Aerojet paid $9 million to settle charges it violated the Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.  Brian Markus, the former Aerojet employee who brought the action recovered $2.6 million from the settlement.  The Penn State matter is still pending.  Former Penn State Applied Research Lab CIO Matthew Decker brought the action, which also charges the institution with failing to abide by certain cybersecurity requirements in its government contracts.

According to Security Week, what is clear from all this “is that whistleblowing has come to cybersecurity [and] will not go away.”  One of the big reasons the article points to is the significant financial incentives that are available for those who bring these kinds of violations forward.

The False Claims Act is not the only vehicle for whistleblowers to secure rewards.  The SEC and CFTC also have prominent whistleblower rewards programs where individuals who voluntarily bring information to the government can also share in any resulting government recovery.  And these agencies have identified cybersecurity transgressions as a top priority.  The SEC program has been especially prolific, doling out hundreds of millions of dollars in whistleblower awards over the past few years alone.

Given this powerful incentive to expose the ever-increasing array of cybersecurity violations, the big question for companies today is how to deal with whistleblowers when they inevitably come forward.  As the Security Week article goes on to explain, the obvious answer is to resist every temptation to fight them; and make use of them instead: “Rather than castigating potential whistleblowers, the valid worries of concerned employees should be encouraged, heard, and acknowledged internally.”

The article quotes from several cybersecurity professionals for backup.

Claude Mandy, Data Security Chief at Symmetry Systems: “It is an injustice to think of whistleblowers with valid complaints and concerns about cybersecurity issues as a threat. Ensuring that potential whistleblowers have a means for raising anonymous cybersecurity concerns to an independent body, without fear of repercussion, plays an essential role in corporate governance of an organization and reducing the surprise factor.”
Igor Volovich, VP of Compliance at Qmulos: “A whistleblower is a canary in the mine. They are critical.  They are essential for the continued safe operation of the mine.”
Alex Janas, Field CTO, Security at Commvault: “For many reasons, over time, organizations sometimes get loose with their interpretation of the rules. Whistleblowers keep things honest.”
Anderson Lunsford, CEO and founder at BreachRx: “Bottom line, the potential impact from whistleblowers has increased dramatically with the SEC rules, and companies are not yet treating whistleblowers with the same level of attention they do with other threats. That’s a big mistake.”

Having worked with and represented dozens of whistleblowers over the past decade, we can confirm the warm embrace over the cold rebuff is the best way to deal with whistleblowers.  Virtually all our clients came to us only after raising their concerns internally within the company first.  Only after they were silenced, fired, or otherwise retaliated against did they feel they needed to escalate their concerns outside the company.

No doubt if the companies had listened to and addressed the issues these whistleblowers had raised, they would never have needed our assistance.  And the companies likely would have avoided all the trouble that followed — lawsuits, government investigations, monetary fines, public relations fiascos, and so on.

The Security Week article succinctly sums up the ultimate takeaway in all this:

Organizations must accept that whistleblowers exist and are here to stay.  But they are symptoms of problems within the organization.  Ignore them, and the problems will grow until they explode.  But listening to issues and — more importantly — responding quickly, positively, and sympathetically will limit the blast radius and ensure you have the most secure and compliant infrastructure possible.

A very simple lesson to be learned.  Companies and their compliance professional would be wise to heed it.

For employees of companies that choose not to, feel free to contact us to speak with a member of the Constantine Cannon whistleblower team.  If you have information on cybersecurity fraud or other fraud or misconduct, we can explain what your options are outside the company when you are given a deaf ear (or worse) inside the company.

Read More

Government Contract Fraud
False Claims Act
Whistleblower FAQs
I Think I Have a Whistleblower Case
Contact Us Confidentially

Read Why Cybersecurity Whistleblowers Should Be Treated as Friends, Not Foes at constantinecannon.com