In a recent TaoSecurity Blog post entitled "Whistleblowers: The Approaching Storm for Digital Security" I said, "I'm predicting that due to the increase in regulation during the last decade, whistleblowers will begin to report digital risks or incidents to their boards and/or outsiders."
I cited a presentation by Frederick Lipman on the subject of whistleblowers, and I recommend reading the linked .pdf if you want to learn more about that topic without reference to digital security concerns.
As an M-Unition blog reader, however, you are probably wondering about the digital security management angle to this story. Imagine being a manager at a company facing charges that you've acted improperly or negligently with respect to an alleged digital risk or incident. Are there steps you should take to mitigate this risk, apart from the generic whistleblower management remedies advocated by Mr. Lipman?
Throughout my career I've promoted the idea that incident detection and response is the practice closest to ground truth in digital security. For example, a "risk assessment" produces a theoretical evaluation of "risk." A "vulnerability assessment" produces a report on vulnerabilities that may or may not be exploited by an adversary. A "penetration test" demonstrates that an intruder acting like the red team could have exploited your organization. Detection and response, however, shows whether or not a live adversary is currently exploiting the organization, or did so recently. (The timeframe depends on the forensic data available to the analyst.)
For this reason, I am a fan of Mandiant's "are you compromised?" assessment offering. Clients regularly hire Mandiant consultants to determine if an adversary is currently operating inside their organization. In the event we find a foe who is not easily dislodged by traditional means, clients hire us to escalate and resolve the situation rapidly and effectively.
For me, one of the most compelling ways to counter a whistleblower's accusation that an organization is compromised and complacent is to regularly hire a third party to conduct an "are you compromised" assessment. This may sound like a commercial, but I wouldn't mention it if I didn't believe in the approach!
If you aren't comfortable or able to hire outsiders, your internal team will need a strong organizational "firewall" between the Computer Incident Response Team (CIRT) and the rest of IT and security, possibly with authority for direct reporting to the audit committee or the Board. With that power the CIRT has some ability to demonstrate its relative independence within the organization.