cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kaveh
Newcomer II

deal with corruption!

I know the title is a little bit "already" controversial. here is my question and concern:

let's say you deal with your coworker(s) who are not only not doing their due diligence to make sure your company is compliant with lets say GDPR, but also they actually intentionally ignore it, basic neglignce result of laziness, or even lack of knowledge, doesn't matter what is the reason for ignorance, and your challenge is that your don't have even authority to force them, or convince them, simply imagine you are reporting to someone who is higher in org hierarchy and you are nobody!

what would you do? I know this might not be a technical complication but still you care, should you circle your boss and escalate to a higher manager, what if even next person in loop simply don't care?

I appreciate your thoughts.

10 Replies
James_Waithe
Newcomer I

Hi Kaveh

Thanks for sharing your dilemma, you are not alone.
Whatever the reason for lack of engagement by senior staff, your obligation
to yourself and as a security professional is to "lead by example". Be the
champion at your level and be loud about it. You have to find a way to
highlight these issues to the security officer or the data protection
officer.

I hope this helps

James
Beads
Advocate I

Best to follow up with whomever is charged with your compliance as well as audit responsibilities. Every organization under compliance is mandated to assign a leadership resource as your compliance officer. If your organization is large enough to have a dedicated auditor, that person will be your first contact.

 

Barring lack of annual, bi-annual or tri-annual audit, the board of directors will ultimately be responsible for compliance. If the BoD does take compliance seriously - start looking for a new position. Point blank. No questions asked your sitting on a time bomb. In the mean time generate and keep an email track of any communication on the subject: meeting notes, conclusions, research discussed, everything related.

 

As for 'corruption'? Probably not corruption but legal indifference unless money or favors are being exchanged. Indifference has killed enough companies and organizations to take the GRC part of business seriously.

tmekelburg1
Community Champion


@Kaveh wrote:

 

what would you do? 


I'd follow the chain of command. If there isn't a team lead for you or your co-workers then go to your supervisor. If the supervisor doesn't think it's an issue and it clearly is, then go to Compliance like @Beads suggested. These issues rarely have to go above Compliance, especially if you have proof and they conduct an investigation into the matter. 

 

There is a lot to unpack in your post that should be introspectively looked at further, e.g., you're not a nobody for one. Keep fighting the good fight!

rslade
Influencer II

> Kaveh (Newcomer II) posted a new topic in Governance, Risk, Compliance on

> I know the title is a little bit "already" controversial.

Oh, I wouldn't say the title is controversial ...

> let's say you deal with your coworker(s) who are not only not doing
> their due diligence to make sure your company is compliant with lets say GDPR,
> but also they actually intentionally ignore it, basic neglignce result of
> laziness, or even lack of knowledge, doesn't matter what is the reason for
> ignorance, and your challenge is that your don't have even authority to force
> them, or convince them, simply imagine you are reporting to someone who is
> higher in org hierarchy and you are nobody!

... it's possible your definition of "corruption" is controversial ...

> what would you do?

Definitely something.

> I know this might
> not be a technical complication but still you care

As well you should. It might or might not be technical (you haven't given much
detail), but it certainly sounds ethical. And it may cause problems for the
profession, your employer, ethics itself, and possibly even society. So you've
covered all four of the canons in the code of ethics.

> should you circle your boss
> and escalate to a higher manager

OK, first step is talk to your coworker.

Second step is to discuss with your other coworkers, if any, and see if they agree
with you, and will help talk with that particular coworder.

Only after that do you go to your boss.

And only after *that*, if necessary, a higher manager.

> what if even next person in loop simply don't
> care?

Well, I faced a similar situation once. I went to my boss, his boos, and then HIS
boss. And wehn that *still* didn't work, I quit. You can't always fix everything,
but if you can't, then that isn't a place you want to work, or even be associated
with.

> I appreciate your thoughts.

Well, we'll see.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

Your scenario is all too real and something that many folks in Security face.

 

Most of the recent regulations  (GDPR, CCPA, etc.) require someone to be responsible.  Many of the older regulations also have provisions for responsibility in them.  If you are not sure who that is, suggest you contact audit (assumes you have an audit department..........most larger organizations have a department.  

 

I have always recommended that folks in Security set up alliances with Legal, HR, Communications (Public Affairs), Physical Security and Internal Audit (or if need be the external auditors).  By doing this, you will have some backup to handle issues as they arise and also support for things that may seem out of control.

 

I would ask, do your counterparts know the regulations that apply to them?  Do they need some education, maybe.  If they understand the regulations and still have a laissez faire attitude than as @Beads said, you may want to look for employment elsewhere.

 

Regards

 

d

 

Kaveh
Newcomer II

thanks everyone for their thoughts! just wanted to wrap it up from my POV:

 

- Quitting is not a solution. I would not recommend to anyone to just give up and change their job/employer just because they are not happy or they cannot do anything about a matter. quitting is erasing the problem statement, not solving it.

 

- this is not my Personal issue. I tried my best to describe it as a business issue and concerns me, not my problem. I need to solve the issue by totally remediate this risk of negligence or ignorance or anything you label it. there is no mitigation, this type of risk can jeopardize an entire business. so Remediation is Required, no optional mitigation.

 

- I believe I explained the scenario which indicates I have escalated to my boss, they boss of my boss and...even board! so again, what would you do (besides quitting) it this situation:

your company is violating people's right, let's say you work for a know social media firm and they simply violating GDPR and you have even sent your message in a very direct way to Seniors and Board. still firm is totally igonring the facts. what would you do to protect 1)people, 2)share holders?

thank you!

 
tmekelburg1
Community Champion


@Kaveh wrote:

 

- Quitting is not a solution. 


Quitting is a solution but it's not always the best: Commitment bias (Escalation of commitment) 

 

 


- I believe I explained the scenario which indicates I have escalated to my boss, they boss of my boss and...even board! so again, what would you do (besides quitting) it this situation:

your company is violating people's right, let's say you work for a know social media firm and they simply violating GDPR and you have even sent your message in a very direct way to Seniors and Board. still firm is totally igonring the facts. what would you do to protect 1)people, 2)share holders?

thank you!


At this point, I'd guess you didn't communicate the risk / issue very well. Or they have reviewed it and deemed it not a risk or violation of GDPR.  Again, try your Org's DPO / Compliance Officer.

denbesten
Community Champion


@Kaveh wrote:

 

- Quitting is not a solution. I would not recommend to anyone to just give up and change their job/employer just because they are not happy or they cannot do anything about a matter. quitting is erasing the problem statement, not solving it.


I on the other hand generally advise listening to one's own spidey-sense.  Quitting is not about erasing the problem; it is about prioritizing personal risk before company risk.

 

A friend once quit a job because the owner was consistently failing to meet commitments made to her.   A year or so later she got a call from some TLA (three-letter-acronym) federal investigators.  Turns out that the owner was also failing to meet some legal obligations that could have resulted in "career issues" for her.  

 

From the perspective of managing her own personal risk, she made a good decision.  By acting early, she was able to job-search while still earning an income, had a much shorter conversation with the TLA agency, and did not need to hire her own lawyer. 

 

That said, there are no correct answers in risk analysis.  It is all about what is tolerable to the decision maker.   Your analysis may be that can reduce your personal legal exposure to an acceptable level by righting the corporate ship and resulting in a more positive investigation.

 

The point being that employees can, should and will address personal risk management before focusing on company risk management.

 

dcontesti
Community Champion

Well said @denbesten