Recently, I spent some time with a group of people considering cyber security from a number of different sides and levels. We had an interesting scenario discussion where we debated the correct way to handle a specific behavior-related situation.
My role in this discussion was to provide insight and guidance based on my experience as a technical cloud computing expert. It wasn't that easy because the concept at hand involved an employee doing something that was not only questionable, but actually fairly seriously bad behavior.
After considering the scenario, I cautioned the audience that you have to be careful when addressing bad behavior in cyberspace. You can't convict someone of a crime or misdoing in the electronic infrastructure of your company. But as we are learning from various situations around the country, you can't ignore the problem either. The issue was further complicated when one of the participants brought up the issue of the mistreatment of children. Not that we were comparing the two, simply that it was an argument used to explain the side “I would just report it.”
There are a number of organizations set up to allow whistleblowers free access to easily report problems without risking their jobs or careers. But can you report the person conducting the bad behavior?
By the end of the evening, there were two clear camps. The first said, "Call the police, period. Based on what is happening in the world right now, let the police sort it out." The second side was a measured, "Be careful. In the end, if you have to call the police, do so, but follow your internal reporting policies first."
The two sides have bounced around inside my head for the past three weeks. It is an intriguing argument that begs the question, “Which side are you on?”
I haven’t found a side yet. But I can compare it to a time when I was a school teacher many years ago. Reporting any form of child abuse is mandatory, not, get around to it when you can, but report it, or face disciplinary action. It was not a policy you thought about it was simply one you followed. I simply, when the time came, reported what I believed to be abuse. It cost me time sitting in a court room, but I felt as though I had done the right thing.
The context of what I reported was quite simple: A small eight year old boy with burn marks on his arm and bruising on his back. Simple and straight forward. But many of the scenarios IT professionals face in this world are much grayer than the black and white scenario I faced.
In the case of reporting child abuse, it was the right thing to do, and if there was a logical explanation that would have been it - case closed, and we all move on. But I have to say 24 years ago when I was faced with this dilemma, I struggled and actually discussed the situation with my teachers union representative before filing the report.
There is always the context of the situation to consider. If you report someone for something regardless of what happens next, you may damage their career. Sure, if they have done something that was wrong, they deserve the consequence. But if there is even the most remote chance that there is even any gray at all in the situation, it is important to consider the implications and follow the internal protocol before engaging with the authorities.
After three weeks of chewing on this problem, I still don't have an answer. Sure, you can call the police. To quote a cyber-investigator, "they are elected officials… they may come bursting through the front door reporters in tow." You can head down the path of reporting the issue internally within your organization. But what if the person you are reporting to is part of the problem internally?
All-in-all, this presents an interesting thought exercise. What do you do as an IT administrator when you find out that an employee is using company time and resources to do something that they shouldn't be doing? The question is intriguing, by no means am I comparing violating company policies as equivalent or even similar to anything to do with child abuse. As stated earlier, this was simply one of the arguments used by the “just call the police right away” side of the argument. I still am not 100% sure I know what side I would choose if asked personally.