Should IT Professionals Be Whistleblowers?

Posted by Amanda Nieweler

on October 8, 2014

To Internal or Outsource – That Is the Question

Anybody can be a whistleblower. But the most infamous today are technology professionals, making their debut in the headlines for exposing government mismanagement or corporate underhandedness – Shawn Carpenter, Chelsea Manning, Edward Snowden.

Well we’ve all heard of them.

But what about those IT professionals who accused their employers of wrongdoing and didn’t make the headlines, or feel the need to seek asylum across the pond?

They do exist. And IT professionals have a difficult and stressful place in their organizations, being the center of lots of important, classified, and sensitive data and deciding on if they should report perceived misconduct or negligence involving that data and their employer. Weather they like it or not, these tech minded people have a potential to be whistleblowers. With plenty of sensitive data being generated by everything from assembly-lines, POS devices, etc., the potential for data fraud, or cyber fraud, is fueling the demand for data transparency. The public wants to know that their private information isn’t being hacked and employers want to know that data is being collected, used, and secured safely. stock illustration ID contact card

The stakes have never been higher for organizations to keep their systems secure. According to a report by Ponemon Institue, sponsored by IBM, the average cost of a data breach to a company was $3.5 million, up 15% from the average reported by companies participating in last year’s study. The 314 companies from 10 countries that took part in this year’s study estimate they will be dealing with an average of 17 malicious codes and 12 sustained probes each month. IT departments have their hands full keeping confidential data safe from these mounting threats.

That puts a lot of pressure on IT professionals. They have the responsibility to ensure data is open and fair, and that data management practices meet very high ethical standards. But these folks face quite the dilemma if they do report misconduct and misuse of data – stir the pot so to speak, or take the “yeah sure it’s a data breach, but it won’t really harm anybody” approach.

Well sure, it harms many people. Look what happened to Target. And many IT leaders are coming forward in their role as corporate watchdog. Internal cultures are shifting – better legal protection is available as well as anonymous whistleblower programs.

To Internal or Outsource – That Is the Question

The Dodd-Frank Wall Street Reform and Consumer Protection Act has granted a few whistleblowers monetary awards, and since its first weeks in effect, the SEC has fielded more than 6000 whistleblower reports. And the Dodd-Frank Act aims to protect whistleblowers from employer retaliation by allowing them to remain anonymous.

As such, many organization are taking matters into their own hands and establishing internal whistleblowing programs, allowing IT professionals to report on the mishandling of data and other concerns like fraud, corruption and illegal activity.

It’s important to motivate would be whistleblowers to report internally first before going to the SEC. Organizations don’t like the fact that if a whistleblower goes to the SEC, the organization doesn’t know what’s being reported about it and the first time they do find out, it’s from a regulator. Organizations also don’t want to have their reputations splattered across front page news.

It starts at the top with senior management leading the positive culture. All employees, from the IT professionals to the marketing department, need to know where their roles fit inside the success of the business. Employees need to know what whistleblowing mechanisms are in place and more importantly, they need to know that they will be protected if they do come forward.

So what happens when would be whistleblowers still don’t feel safe reporting misconduct to an internally run ethics reporting system? That’s the dilemma some organizations face – Internal or Outsourced. Do we incorporate an internally run whistleblower program, or take it out to the third-party.

eBook: Whistleblower Hotlines: Internal vs. External