Are You Listening to Your Employees?
If employees can't come to their managers with security and privacy concerns, they just might go to the press or the authorities first.
Many of these cases arose because employees had no choice but to take their concerns to the news media or law enforcement because they couldn't find any way to affect change from inside.
As frustrated employees consider turning into whistleblowers, it is only a matter of time before we see more whistles blown on bad privacy and security practices.
The question is: Are you able to hear what they have to say before they get frustrated and take their complaints outside the company?
Indeed, based upon my own recent conversations with random members of the public, there are privacy and security time-bombs ticking in companies all over.
Hardly a week goes by that I don't receive a question, posed via my blog, email, or from callers to my weekly radio segment with nationally syndicated talk show host David Lawrence, from someone who has discovered a looming privacy problem in their company and they don't know what to do about it.
In a recent example, I received an email inquiry from a gentleman who is concerned by his boss' practice of taking home large amounts of sensitive customer and employee information on his laptop computer, including credit card and Social Security numbers. The boss is violating corporate policy doing so, but he doesn't know how to call it to anyone's attention without endangering his own career.
Every time I hear a story like this from another concerned employee at his or her wit's end, I'm reinforced in my belief that most privacy and security problems don't miraculously appear one day out of thin air. The constant stream of inquiries I get from exasperated employees suggests that while problems are widespread, it can be a huge challenge to get the attention of those executives with the ability to do anything about it.
In the course of my consulting work, I have been involved in more than a few forensic investigations, in which the aftermath of a privacy or security debacle is pieced together for use in a court battle.
(Note to the CBS network: ''CSI: CPO'' Think about it! Have your people call my people...)
More often than not, as we sift through piles of emails and other digital documents, there often is ample evidence that along the way somebody noticed the problem, but the concerns went unheeded.
The reasons for inaction usually break down into one of three categories of dysfunction.
First, somebody has noticed a problem but doesn't know how to bring attention to it, or to whom it should be addressed, so it continues to go unresolved.
Second, somebody has noticed the problem and even brought it to the attention of a higher-up, but it turns out to have been the wrong person -- who ignored the issue because ''it's not their problem''.
Third, and perhaps the most dismaying, is when somebody has noticed the problem, but fears bringing it up internally because of a corporate culture that punishes squeaky wheels.
Solving the Problem
Luckily for CPOs and CSOs, there is a relatively easy solution that can address all three situations: Create a simple feedback process that encourages conscientious employees to share their concerns in an atmosphere that is anonymous and reprisal-free, and promote its use to everyone.
For those companies whose problems fall into the first two categories, nipping a growing privacy problem in the bud may be as simple as setting up an email address or a Web page through which concerns can be properly routed to someone with the expertise to understand and act upon the query.
Implementing such a solution may not be as simple if you work for one of those dysfunctional companies in the third category, not because it's hard to set up an email address or Web page, but because your corporate culture is working against your best interests.
In this case, it may require various technical and organizational efforts, including involvement by senior executives, human resources and legal counsel, to create an effect and trustworthy shield for a conscientious employee.
Some readers may be shaking their heads at this point, scoffing at the idea that their company could need such a process. But I can assure you that the effort expended setting up some communication channels directly to your privacy and security team, when compared to the costs of a privacy debacle -- both in dollars and in corporate reputation -- is really no comparison at all.
Anything you can do to keep a conscientious employee from feeling their only option is to become a whistleblower and take their story to a newspaper or law enforcement authority is a worthwhile investment. And that includes paying a big fat bonus to anybody who reports a problem!
There also is a more advanced solution for companies whose privacy and security concerns are especially sensitive due to the extensive consumer-facing products and services they provide. In such a company, it often can make sense to institutionalize the process of probing for problems by creating teams of security and privacy experts who roam the company talking to everybody and looking for trouble.
For example, one major dotcom firm that I know of has a team known as the 'Paranoids' It's their job to poke holes in anything and everything. Every department and every major product team has its own representative to the Paranoids group, ensuring that there's a 'go-to' person in every corner of the company when a privacy or security issue is discovered.
It then becomes the job of the local Paranoid to push for not only attention to the issue but for solutions that are consistent with the business needs of that group. Thus, no one is forced to be a lone voice calling out in the wilderness.
While the discovery of a privacy or security problem is only the beginning of what can sometimes be a difficult path to resolution, getting news of a problem from the depths of an organization to those empowered to fix it shouldn't be the hardest part of the process.
Knowing that a problem exists is the first step to fixing it. Every CSO and CPO should be asking themselves whether they have done all they can to make sure that bad news can quickly percolate up to them from wherever it may arise.