Blowing the whistle without blowing your career

How techies can bring data mishandling and abuses to light without putting their careers in jeopardy.

1 2 Page 2
Page 2 of 2

Joining the executive ranks

As whistleblowing technologies continue to multiply and mature, Ponemon says there's an attitudinal change afoot in IT departments that could spur greater openness among technology professionals. "People who work in the security trenches or in IT who are not supervisory level or above often feel as if no one is going to listen to them even if they do see a problem," he says.

It's a difficulty that Walton says she faced when she was a database administrator. "Between the business and the IT department, there was just a real kind of disconnect on the severity of the [data security] issue," she recalls. "That can happen a lot in business.... A CIO has to be very good at explaining the technical side and the risks. That's what was missing all those years ago."

But that's changing as the role of a technology professional is slowly being redefined in the face of growing responsibility. For example, "more chief security officers are being elevated to a higher level," says Ponemon. "Companies want a person not to just be a technician but to be part of the governance solution. They want people to own the responsibility and accountability, which basically gives the CSO more power."

Greater purpose, more processes

With greater power comes the need for more formal processes that identify the steps IT professionals should take when they detect misconduct. Consider, for example, the recent controversy surrounding the U.S. Department of Veterans Affairs. Whistleblowers have stepped forward accusing the department of tweaking computer systems to make it appear that veterans waiting weeks for medical appointments had no wait time at all.

James Lewis, Center for Strategic and International Studies

Would-be whistleblowers face a tough decision if the boss says, "Don't tell me about it, I don't want to know," says James Lewis, director and senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies.

"The issue for IT folks is what do they do?" says Lewis. "Do they go and tell their boss that the software is under-reporting waits? Absolutely -- that would be a responsible thing to do. But what if their boss says, 'Don't tell me about it, I don't want to know.' What do they do then? That's where you have to make one of these decisions about how much stress you want in your life. It might work out really well, but you are taking a risk."

To minimize such risks, Ahmed says more IT professionals need to step up and participate in efforts to establish whistleblowing policies. "Oftentimes the whistleblower program is considered a legal general counsel area," he says. But that's a mistake. "A technology group can play a very important role in helping design a whistleblower program and in analyzing the type of reports that are coming in, particularly as they relate to topics of information security."

For instance, Ahmed says that when deploying an in-house whistleblower hotline, a technology professional can act "as either an adviser or a partner in setting up these types of programs and influencing the kinds of reports that would be of use to IT as they try to protect the organization."

Know thyself

Education can also go a long way toward helping IT professionals better handle the sensitive issues that can arise from having unfettered access to confidential data and sophisticated computer systems. What access to confidential information does IT have? Do IT staffers understand their roles and responsibilities? Can they differentiate between data that is and is not sensitive? What are their responsibilities for reporting misconduct? What whistleblowing mechanisms are in place? How will they be protected if they choose to speak up? What proof is required to substantiate a breach or misconduct?

Only by making IT professionals distinctly aware of their roles -- and of the way whistleblowing will impact them both personally and professionally -- can companies successfully enlist IT in efforts to achieve greater accountability.

Proceed at your own risk

The enormous burden of whistleblowing, however, should never fall squarely on the shoulders of a single IT professional. Rather, Roth says, "it's extremely important that corporations send a signal that they assure whistleblowers that they will protect their identity and protect them from harm."

But there are no guarantees that an IT professional who lifts the veil on corporate misconduct will emerge from the experience personally and professionally unscathed. "If you work at a company and you release damaging information about them, how will that company regard you in the future?" Lewis asks. "Frankly, there will be a diminution of trust. You can add more legal protections [for whistleblowers], but there still will be social penalties that are going to be hard to avoid."

Just ask a whistleblower. "It's not for the faint of heart," says Walton. "I'll put it that way."

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon