Career Advice Tuesday – “Potential Whistleblower”

July 5, 2011

Dear Infosecleaders:

My company has recently hired a Chief Information Security Officer, and I have some big concerns about their competence and their ethics.

I was a part of the interview committee that interviewed them, and I did not believe that they had the knowledge of current issues that are facing our company to be an effective information security leader.   In addition, I am a member of some closed on-line communities, where there has been postings about the individual’s ethics, including items like falsifying information, taking kick backs from vendors, and other claims that question his worthiness of being considered an information security professional, let alone a Chief Information Security Officer.

Any advice?


“Jeffrey Wigand” 

(The Question of course is Anonymous – Anyone get the reference)


Dear Jeffrey:

The advice I am going to give you may be a bit unpopular, but my advice is to do nothing, wait it out, but have a contingency plan.     In cases like this, if the allegations are correct, it will not be that long before your new CISO shows their true colors and incompetency.  However, you may find it impossible to support their actions and follow their lead, and in that case you need to protect yourself and begin exploring your external options.

I also want to let you know that currently you do not have a shred of concrete evidence that your allegations of wrongdoing and poor ethics are accurate – just other people’s opinions.   The only thing concrete you have is your appraisal and evaluation of their performance during your time together in their interview.

One thing that I will bring to light is the fact that your company ignored your feedback in the candidates interview process, which is something that you may want to think more deeply about.

Here is a series of questions that I would like for you to answer on your own:

First I will ask: “How may candidates did you have the opportunity to  interview?”

If the answer is : “More than one” – the next question that I would ask is, how many of the candidates did you like?

If the answer is:  “You liked others better“-  Then you should begin to think about the skills that your company values in their leaders and in their information security professionals.   When you have thought that through, you should think about your skills, and how they align.  If there is a disconnect, then I think you should begin to polish your resume and look for external opportunities.  It does not seem that you will see eye to eye with your new manager/boss, so you may want to get out before you are placed in any awkward situations.

If the answer to the question is, “You did not like any of the candidates;”  – I would have to ask you if you felt that you should have been considered for the CISO job.  If this is the case, your employers may have fully dismissed all of your feedback as “sour grapes”.  If you feel that you should have been considered,  you may need to take an honest look at your skills,  and try to assess where your deficiencies are in accomplishing this step in your career .  In any case, by ignoring your feedback and not considering you for the job,  your employer has sent a clear signal that you are not in their future leadership plans.  Again, I would polish up the resume and take a proactive approach.

If word gets out that you did not endorse your new boss, and their character is as advertised, your do not have a long future at your employer.

If you do wish to stay, your real hope is that the new CISO gets fired, before he can get rid of you.

I will close by saying that I am making a great deal of assumptions.  This is a tricky situation, and unfortunately we rarely get a chance to pick our managers – this is one of the hazards of working as an information security professional in “Corporate America.”

Good luck,

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Security Industry 


Comments are closed.