Whistleblowers And Security: Friends Or Foes?

•p074-077By Steve Mark.

Much has recently been written about whistle blowers and security – in particular the conduct of Julian Assange and Edward Snowden. The majority of articles have focussed on the question as to whether Assange and Snowden are traitors or heroes. This article explores a different question: are whistleblowers good for the security industry?

Julian Assange and Edward Snowden are viewed by many in the community as heroes and saviours. While for many, particularly in politics and the security industry, Assange and Snowden are viewed as evil self-serving traitors. Where does the truth lie? Media commentators have alluded to the extensive damage done by Assange and Snowden from endangering intelligence operatives to embarrassing governments and scuppering information exchange protocols between agencies and even threatening trade agreements. For example, as William H. Harwood, Instructor of Philosophy, The University of Texas Pan-American states:

“Only a cartoonishly childlike understanding of diplomacy could conclude that detailing our spying on our allies doesn’t hurt our national security. To defend Snowden on the grounds he has avoided disclosing information concerning terrorism, as some have, is as myopic a view of national security as thinking that avoiding U.S. casualties by using drones to kill terrorists already willing to die for their beliefs – adjacent innocents be damned – is the best way to combat terrorism.”[1]

What the commentators have not addressed is what the impact of the activities of these and other less known whistleblowers have on the security profession working in the private sector. The information released through Assange and Snowden’s activities has ostensibly been known by governments for years and it is only now that the public have become aware of the information that the governments have reacted with ‘shock and horror’. The impact of this on the trust the public has in government is extensive. Similarly, the impact it has had on the private sector has seen heightened concern in the need for security generally.

Publicity about security breaches tends to focus the attention of companies and private individuals on their own security systems and how effective their own security systems are. This perhaps could generate a wealth of business for those companies providing advice about security systems. However, the question must be asked: whether such breaches also generate discussion about what information or material actually ought to be kept secure and the ramifications of security breaches in the private sector. I am not sure whether such questions are being addressed.

In my view, in meeting their duty to the community, security professionals providing services to the private sector should be advising their clients on evaluating their information holdings and on the basis of that ‘value’, determining what information really needs to be secured. Although this is generally done by security advisors and consultants, when clients are motivated by fear caused by intensive media, they may ignore strategic advice and simply panic and buy more product.

Anecdotal evidence suggests, however, that much information presently considered necessary to be kept secure does not actually need to be. Little guidance or information is available generally to the community about this fact and about the need for levels of security or how to determine what information to secure and what product to use. This has long been central to government and military thinking, but not the private sector. The government and military have a sophisticated framework within which to make such decisions.

In my view it is imperative that the private sector be better educated about what information should and should not be protected. This must be the role of the security profession.

What is clear from the experience of security professionals and studies around the world is that many organisations lack security systems and protocols to deal with the information they need to keep secure. Therefore, the question must be asked: if organisations had effective security policies and procedures to deal with their particular needs, would there be a need for whistleblowers and would whistleblowing occur? That is, if a limited amount of critical information is properly secured, thereby giving little access or opportunity for security breaches, and a culture of transparency for information that was not critical for security purposes to be retained was released, there would be little need for or opportunity for whistleblowers at all.

Of course, that is not to say that there would be no whistleblowers if this course of action was taken, what I am suggesting is that the opportunity for whistleblowers would be minimised.

As a result, this raises the role of organisational culture, both in exploring the organisation’s approach to security and the question of why the need for or opportunity of a whistleblower. Security is an aspect of organisational culture not an ‘add-on’. The role of a security professional is to identify the security culture within an organisation and assist in its development, including ensuring that all members in the organisation understand the purpose of security. Furthermore, it is also the responsibility of management to ensure that staff understand the purpose of security policies and products implemented within an organisation. Policy awareness is not enough to trump a culture. Security cannot be delegated exclusively, it must be a shared concern.

In stating so, however, one has to be careful to ensure that an assessment of the organisation and its culture is performed. As Matthew Curtis, Chair of the Australasian Council of Security Professionals, recently wrote:

“Remember, each organisation is different. Each has a different risk profile – and for many the risk of attack may be insignificant – but better management of this ambiguous threat will strengthen your resilience regarding the trusted insider and many other security risks and promote an improved security culture.

Such a culture is based on:

  • careful and evidence-based selection of good people
  • managing and leading them properly, avoiding the common motivation to betray for revenge
  • security management that is integrated within mainstream governance and visible to the Board
  • promoting security awareness and robust security management
  • responding to exceptions quickly.”

Steve Mark is the Registrar of the Security Professionals Registry of Australasia.

 

[1]William H. Harwood, Whistleblower or Traitor, Snowden Must Shut Up, The Huffington Post, 24 October 2013, available at http://www.huffingtonpost.com/william-h-harwood/whistleblower-or-traitor-_b_4143834.html