For CISOs (Chief Information and Security Officers), whistleblowers are often seen as a threat to the cyber security function – people to fear, not to embrace.
Why? Because they have potential to hugely damage the company by publicly releasing critical, sensitive information that could have enormous adverse ramifications.
But as we witness the SEC’s expanding crackdown on cyber fraud, CISOs need to rethink their view.
Whistleblowers are, in fact, an ally and an asset. It’s time to see them as your risk champions.
As cyber fraud becomes such a key focus for regulators, it’s clear that being able to identify problems and risks early on and stopping them before they escalate is essential.
Are CISOs equipped to detect cyber fraud?
CISOs play a crucial role in helping to uncover, reporting on and addressing cyber fraud within an organisation.
As cyber threats continue to evolve, it is essential for the CISO to establish effective reporting mechanisms to detect and mitigate fraud incidents.
But as a CISO, can you be confident of being able to do so?
And, even more pressingly, could you manage to meet the 30 day deadline from identification to reporting to the SEC for cases under cyber fraud disclosures?
It’s all too easy for cyber security fraud risks to fall between the gaps of existing reporting mechanisms for security incidents, vulnerabilities, and risks. Often, this is due to the incidents not being treated as a reportable item for the SEC.
A vague report may arise of a possible fraud risk, referencing, for example, ‘vulnerabilities we shouldn’t have in our system’. But there might be no obvious action for any of the Information Security teams that it’s flagged to, and therefore leads nowhere.
Whistleblowing to the rescue
If your answer to either of the questions above is no, this is where whistleblowing programs can inspire and point towards a solution.
Armed with the right tools, a potential whistleblower can escalate any concerns relating to cybersecurity. And they can do so with assurance that this will reach the CISO’s office and will be reviewed with the severity of its implications in mind.
After all, direct reports to SEC and an enforcement penalty would be much higher than self-disclosed reports, as seen by Verizon’s case.
Investigations led by anonymity
The CISO’s office needs to be able to receive reports relating to cyber fraud and other issues, and have this investigated, all whilst maintaining a reporter’s anonymity (should they wish to do so).
By doing so, the organisation is able to identify areas of risk at an organisational level and make informed decisions as to reporting, disclosures, and remediation.
By fostering a proactive approach to cyber fraud, the CISO helps to minimize the organization’s exposure to potential threats.
The SEC’s enforcement action in the recent case relating to the Sunburst attack marked a landmark first in terms of civil charges being brought to a CISO. And this demonstrated the need for CISOs to rethink their approach to uncovering fraud. Watch out for more in our next blog where we look at this in more detail.
How can Vault Platform help?
At Vault we provide a platform for uncovering, exposing and investigating misconduct.
Vault’s Active Integrity platform can help CISOs develop exactly the kind of whistleblowing approach and system described above, enabling employees to anonymously report their cyber fraud concerns. This will help CISOs to stamp out problems before they develop into something far more serious.
Vault Platform enables you to configure rules by roles and groups so that the CISO’s office can receive reports relating to cyber fraud and then investigate, all whilst maintaining anonymity.
Want to learn more?
Let our specialists explain more to you about how Vault can help CISOs uncover and deal with cyber fraud. Book a call and demo with our team.