Former Twitter security chief Peiter Zatko is set to testify before the Senate Judiciary Committee on Tuesday, only three weeks after his explosive whistleblower complaint became public.
Business leaders should take heed of how quickly Congress hauled Zatko in, because this appears to be the start of a trend that highlights reputational risk.
Zatko alleges that senior executives at Twitter hid cybersecurity vulnerabilities, misreported the effectiveness of security measures to regulators and customers, and intentionally kept information from the board of directors. Twitter dismissed the allegations as “a false narrative” that lacks context. Litigation will likely take years, but Zatko blowing the whistle on cybersecurity malpractice has already maimed Twitter’s reputation and stock price.
This case parallels a whistleblower claim against defense contractor Aerojet Rocketdyne, which agreed last month to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements.
This makes two publicly traded companies, two boards allegedly misled, and two whistleblowers with inside information and technical expertise identifying cybersecurity failures and misconduct at companies where these kinds of deficiencies have national security implications. The Aerojet Rocketdyne case was quietly and suddenly settled. It’s unlikely that Twitter will enjoy the same fate.
What Zatko claims about Twitter seems closer to the norm than the exception in this under-reported world of cybersecurity incidents. In both cases, the whistleblower communicated what the proper course of action should be–but didn’t get the buy-in from business leaders.
Insiders and security practitioners at publicly traded companies will only be further emboldened to come forward and share what they know to be true: Cybersecurity at most companies, despite obvious national security concerns, is underfunded, underregulated, and frequently misrepresented to create the false perception of progress.
Executives need to take cybersecurity more seriously and surround themselves with voices that can translate technical vulnerabilities into business risk. The topic can no longer be ignored, especially with new regulations and enforcement forthcoming for several sectors. In fact, many businesses already face requirements with government regulations–just as Aerojet Rocketdyne and hundreds of thousands of other defense contractors are subject to the Department of Justice’s Civil Cyber-Fraud Initiative.
Business leaders should be proactively safeguarding their organizations, not out of fear of litigation, but because it’s the cost of doing business in today’s landscape.
Ten years ago, when I was the global chief information security officer (CISO) at BAE Systems, I reported to the board of directors whenever there was a security concern. Overwhelmingly, the board voted to increase the headcount for cybersecurity, expand tools, and build out a global security operation center.
More boards need to show that level of support. The upfront investment that’s required pales in comparison to the risk of failing to meet cybersecurity regulatory requirements, and a potential legal battle and reputational hit if a whistleblower calls out those shortcomings.
If this trend of high-profile whistleblowing continues, there will be rapid and meaningful change. It will be driven by the fear of reputational damage and loss of customer confidence, not government fines. An industry can change on its own much faster than regulatory efforts would compel it to. Whistleblowers–such as Jeffrey Wigand, who forever changed the tobacco industry– have had this motivating effect in the past.
Cybersecurity is very difficult to quantify and align with funding as part of a risk-based business decision. However, when you add reputational risk and potential whistleblowers to the equation, it’s easy to justify the investments that need to be made. Recognizing that cybersecurity is an ongoing business function that requires investment should be the takeaway from whatever Zatko’s testimony reveals.
The era of involuntary disclosure through whistleblowers may just be what finally gets business leaders’ attention and has them see the light on why cybersecurity is so important to their operations, reputations, and ultimately their bottom lines.
Eric Noonan is the CEO of CyberSheath, which helps defense contractors obtain and maintain cybersecurity compliance.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.