“If You See Something, Say Something®” is the tagline for a national campaign, but it has also become an unofficial motto for values-driven employees dedicated to facilitating an ethical culture at their organizations who are unafraid to blow the whistle on corporate actions that go against it. Whistleblowers in the past took down giants (Enron, WorldCom), forced transparency (Abbott Laboratories’ baby formula fiasco), and led to positive policy change (the FAA post-Boeing). Today, whistleblowers take on their organization’s commitment (or lack thereof) to security, privacy, and ethics. They don’t seek anonymity as often and are not afraid to go out with a bang.
In my recently published report, Protect Whistleblowers For Business Success, I explore the role of whistleblowers as an essential safety valve and a mechanism for healthy corporate governance. Here are the three things that security and risk pros need to know about this new breed of whistleblower.
No. 1: When You Hire Employees For Values Alignment, Expect To Get What You Pay For.
Last year, we blogged about Peiter “Mudge” Zatko, Twitter’s former head of security turned SEC whistleblower after being dismissed and fired when he attempted to flag Twitter’s security concerns to the board. But Mudge is not the only one. As CISOs gain prominence within their organization, their role evolves from just protecting technology to protecting the brand, employees, and customers. And new regulations such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and the SEC’s four-day mandatory disclosure of material cyber incidents puts pressure on security pros who see something to say something. Unsurprisingly, a recent Splunk survey finds that 82% of CISOs would consider becoming a whistleblower if their organization was willfully ignoring security best practices and compliance mandates that put the business at risk.
No. 2: Whistleblowers Will Find Your Weakness So You Can Fix It BEFORE It Makes Headlines.
Videogame development company Activision Blizzard could have avoided paying the SEC $35 million for its failure to properly collect and review employee complaints about workplace misconduct. Perhaps if Theranos’ executives and board had listened to concerns of Erika Cheung, scientist turned whistleblower, they wouldn’t have watched their $4.5 billion company collapse, their CEO end up imprisoned, and the story become the subject of a Netflix docudrama.
No. 3: These Are Not “Disgruntled, Low-Level” Employees, And They Have Receipts.
The misconception that whistleblowers are low-level, disgruntled employees looking to profit from exposing and exploiting an uncomfortable situation is just false and dangerous. Studies suggest that whistleblowers tend to be more tenured, earn a higher salary, and have a higher education level than average employees. Susan Fowler, former Uber engineer, had the rank and access to internal documents and information to prove her claim and then wrote a memoir about it. When Frances Haugen, a former Facebook data scientist, disclosed on national television and to Congress that the company prized growth and profits over combating hate speech, misinformation, and mental health of teenage users, she had the receipts — thousands of them.
Make Whistleblowers Your Risk-Management Secret Weapon
Ignoring whistleblowers is costly and bad for business; listening to them gives your risk management strategy a boost. It’s time that companies change the negative connotations and social stigma associated with whistleblowers and rebrand them as a critical part of your governance framework. For more information on why and how to protect whistleblowers, schedule an inquiry or guidance session with me.
(written with Kaylee Mahoney, research associate at Forrester)