Are You Listening to Your Employees?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
In recent years, we've seen the incredible impact of conscientiousemployees who have become fed up with seeing mismanagement andmalfeasance in corporations and government.

Many of these cases arose because employees had no choice but to taketheir concerns to the news media or law enforcement because they couldn'tfind any way to affect change from inside.

As frustrated employees consider turning into whistleblowers, it is onlya matter of time before we see more whistles blown on bad privacy andsecurity practices.

The question is: Are you able to hear what they have to say before theyget frustrated and take their complaints outside the company?

Increasingly, conscientious workers are aware of privacy and securityconcerns, and they often can provide distant early warnings of troublebefore it might otherwise appear on an executive's radar. The challengefor today's privacy and security professionals is to make sure there areclear lines of communication open to all corners of the company.

Indeed, based upon my own recent conversations with random members of thepublic, there are privacy and security time-bombs ticking in companiesall over.

Hardly a week goes by that I don't receive a question, posed via my blog,email, or from callers to my weekly radio segment with nationallysyndicated talk show host David Lawrence, from someone who has discovereda looming privacy problem in their company and they don't know what to doabout it.

In a recent example, I received an email inquiry from a gentleman who isconcerned by his boss' practice of taking home large amounts of sensitivecustomer and employee information on his laptop computer, includingcredit card and Social Security numbers. The boss is violating corporatepolicy doing so, but he doesn't know how to call it to anyone's attentionwithout endangering his own career.

Every time I hear a story like this from another concerned employee athis or her wit's end, I'm reinforced in my belief that most privacy andsecurity problems don't miraculously appear one day out of thin air. Theconstant stream of inquiries I get from exasperated employees suggeststhat while problems are widespread, it can be a huge challenge to get theattention of those executives with the ability to do anything about it.

In the course of my consulting work, I have been involved in more than afew forensic investigations, in which the aftermath of a privacy orsecurity debacle is pieced together for use in a court battle.

(Note to the CBS network: ''CSI: CPO'' Think about it! Have your peoplecall my people...)

More often than not, as we sift through piles of emails and other digitaldocuments, there often is ample evidence that along the way somebodynoticed the problem, but the concerns went unheeded.

The reasons for inaction usually break down into one of three categoriesof dysfunction.

First, somebody has noticed a problem but doesn't know how to bringattention to it, or to whom it should be addressed, so it continues to gounresolved.

Second, somebody has noticed the problem and even brought it to theattention of a higher-up, but it turns out to have been the wrong person-- who ignored the issue because ''it's not their problem''.

Third, and perhaps the most dismaying, is when somebody has noticed theproblem, but fears bringing it up internally because of a corporateculture that punishes squeaky wheels.

Solving the Problem

Luckily for CPOs and CSOs, there is a relatively easy solution that canaddress all three situations: Create a simple feedback process thatencourages conscientious employees to share their concerns in anatmosphere that is anonymous and reprisal-free, and promote its use toeveryone.

For those companies whose problems fall into the first two categories,nipping a growing privacy problem in the bud may be as simple as settingup an email address or a Web page through which concerns can be properlyrouted to someone with the expertise to understand and act upon thequery.

Implementing such a solution may not be as simple if you work for one ofthose dysfunctional companies in the third category, not because it'shard to set up an email address or Web page, but because your corporateculture is working against your best interests.

In this case, it may require various technical and organizationalefforts, including involvement by senior executives, human resources andlegal counsel, to create an effect and trustworthy shield for aconscientious employee.

Some readers may be shaking their heads at this point, scoffing at theidea that their company could need such a process. But I can assure youthat the effort expended setting up some communication channels directlyto your privacy and security team, when compared to the costs of aprivacy debacle -- both in dollars and in corporate reputation -- isreally no comparison at all.

Anything you can do to keep a conscientious employee from feeling theironly option is to become a whistleblower and take their story to anewspaper or law enforcement authority is a worthwhile investment. Andthat includes paying a big fat bonus to anybody who reports a problem!

There also is a more advanced solution for companies whose privacy andsecurity concerns are especially sensitive due to the extensiveconsumer-facing products and services they provide. In such a company, itoften can make sense to institutionalize the process of probing forproblems by creating teams of security and privacy experts who roam thecompany talking to everybody and looking for trouble.

For example, one major dotcom firm that I know of has a team known as the'Paranoids' It's their job to poke holes in anything and everything.Every department and every major product team has its own representativeto the Paranoids group, ensuring that there's a 'go-to' person in everycorner of the company when a privacy or security issue is discovered.

It then becomes the job of the local Paranoid to push for not onlyattention to the issue but for solutions that are consistent with thebusiness needs of that group. Thus, no one is forced to be a lone voicecalling out in the wilderness.

While the discovery of a privacy or security problem is only thebeginning of what can sometimes be a difficult path to resolution,getting news of a problem from the depths of an organization to thoseempowered to fix it shouldn't be the hardest part of the process.

Knowing that a problem exists is the first step to fixing it. Every CSOand CPO should be asking themselves whether they have done all they canto make sure that bad news can quickly percolate up to them from whereverit may arise.