Whistleblowers should be given multiple reporting options
Ideally, organizations should offer multiple paths for reporting problems. Whistleblowers could, for instance, talk to their supervisors, call an anonymous hotline, address a designated ombudsman, or even notify a specialized office that has access to leadership. A system that offers plenty of options gives employees flexibility based on their comfort level and the nature of the issue. If organizations offer several avenues for reporting issues, they can increase the likelihood that employees will come forward.
To further increase chances, employees can be offered regular training sessions in which they are informed about the importance of coming forward on cybersecurity issues, the ways to report wrongdoing, and the protection mechanisms they could access. Moreover, leadership should explain that it has zero tolerance for retaliation. “Swift action should be taken if any instances of retaliation come to light,” according to Empower Oversight.
The message leadership should convey is that issues are taken seriously and that C-level executives are open for conversation if the situation requires such an action. As Renee Guttmann, founder and principal of Cisohive and former CISO of companies like Coca-Cola, Time Warner, and Campbell, points out, “a process for escalating issues to executive leadership and the Board [should be in place] if there is a belief that issues are not being appropriately addressed through their chain of command.”
At each step, employees should be assured that the problem they disclose will be investigated thoroughly and that enough resources will be poured into that. The entire process should be transparent, with both the person who reported the issue and the organization being kept informed of the progress.
All these measures can be beneficial in the long run, and organizations that implement them should be able to address problems internally, preventing them from escalating. Many companies are slowly understanding the true importance of the process. “It takes time, but I think it’s happening, companies stop stigmatizing employees who blew the whistle,” says Delphine Halgand-Mishra, founding executive director at The Signals Network, a non-profit that provides support to whistleblowers and journalists. The organization created the Tech Worker Handbook, which explains legal concerns and issues tech workers might have before, during, and after deciding to speak out.
Cybersecurity whistleblowers can be essential for democracy
Peiter “Mudge” Zatko and Anika Collier Navaroli, who reported security, privacy, and disinformation issues related to Twitter, were “vital whistleblowers,” Gold says. “Their willingness to testify about the role of social media in facilitating unprecedented threats to democracy was courageous and vital.”
Both, however, had to navigate a series of challenges after they blew the whistle, but their decision to come forward was a calculated one. “There’s a sentence I heard many whistleblowers say: ‘I was hoping someone else would do it, and nobody did,’” said Halgand-Mishra. “I also hear them say: ‘I just couldn’t face my own conscience.’ They know they are getting in trouble, but there’s no other way.”
The Signals Network’s founding executive director believes both governments and the private sector should do more to foster an open culture and protect whistleblowers because they are part of any “vibrant democracy.” According to Halgand-Mishra, “Whistleblowers should be embraced by society; they should be celebrated.”
