Ethical Situation Question

jah8887jah8887 Member Posts: 81 ■■■□□□□□□□
The small company I work for has become toxic at the top ever since a new CEO took over.  He seems to get enjoyment out of building people up then beating them down i.e. cussing them out, calling them worthless etc.. I currently am on my way out looking for other jobs in my area and or to move to.  Recently, the CEO and Financial Officer decided it would be good to keep our small IT department in the dark about a surprise IT audit from a 3rd party company we have never heard of 1 day before they were set to come onsite and that third party requested domain admin access (which I didn't approve of).  The department asked for some background work on the company, and to see the papers to make sure they were filled out right but they wouldn't release them to us until after the audit was over.  The auditors understood what was going on and commended such a small department doing so many things and accomplishing so much in a year.  This is where the ethical question comes in.  From what the company said that audited us was extremely positive and pro us with an unbiased opinion.  However, when the final report came out the CEO would only let the manager see the report and it was all negative and bashing the IT department.  We noticed on the final report it said there were several versions revised from the original one.  This is what got my curiosity going since everything the company said was the total opposite in that report.  It so happened that a file was uploaded to the file server and it was the original report.  The original unbiased report was praising our small department with no negativity and or bashing of the department and said we should be thankful we have such knowledgeable employees running it.  It seems like the CEO, and Financial officer when they met after the audit with the auditors twisted their arms or something or forced them to make us look bad.  The chair people of the bank will be getting the final report soon and the final report will be the negative one about the department.  My question is do I let it go and let the chair people think that they have a horrible department or do I email the chair people directly so they can see the unbiased report?  I don't want to do anything illegal but ethically I was sure that if you pay an audit company to audit your departments you should keep it unbiased and have no persuasion or forcing the report to look opposite of what that company thinks.  Sorry for the long rant, I have been debating on what to do and figured I would ask some other professionals if they have had the same situation happen to them or could give me advice.  Thanks for reading or giving advice!


  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    Who uploaded the original report to the file server and who had access?  If it was posted negligently to people who shouldn't have seen it but had access, then it's fair game.  It's only when you abuse your power to get access to files you shouldn't.  However, if someone was looking for it with say Administrator rights for the sole purpose of trying to find this report, that's where you could get in trouble.

    Now as far as what you should do, even though there are laws against whisteblowing, if someone wants you gone they'll find a way.  Remember, it's not what you know, it's what you can PROVE that matters.  Otherwise it's circumstantial.  If I were in your position, I wouldn't say anything unless 1) I wasn't worried about losing my job or 2) I already had another opportunity.  For me, preservation of self is the most important.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • jah8887jah8887 Member Posts: 81 ■■■□□□□□□□
    The financial officer uploaded it of course with just domain admins and themselves to see the report.  I kinda know he is looking to outsource the whole IT department because the first day on the job here he said we don't need an IT department and we don't need a server room.  I have already currently been applying elsewhere and had several interviews and 1 of them that I am well suited for I will know this week if I got it.  I just would hate to see that the chair people only see this twisted report making me and the department look like we don't know what we are doing and are idiots or whatever you want to say.  I really don't want to say something for fear of getting in trouble but at the same time I feel like the truth should be  told.  Thanks for helping me in this situation.
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    Dont try to do the "correct thing" just move on. Find a new job. Then  "IF" someone higher ask why you left... tell him "unofficialy" the real story.

  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    Can't think of how to phrase an analogy for it, but sounds like a risky battle to win a war not worth the fight.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    It sounds as if there is a serious lack of respect now in that environment. Don't try to figure out the new management's secret business strategy. Just move on and don't look back.
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    Yikes, I can imagine it is very difficult to watch this slow moving train wreck starting to take shape.  However, it is not your position in the company to correct/expose poor strategy decisions by executive leadership and doing so could potentially get you fired despite being correct. 

    You have to remember, you do not own this company or the IT department.  You are only there to be a good steward of the IT systems and if they want to go with another IT support model then that is absolutely their right however shortsighted that may be.  
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • shochanshochan Member Posts: 1,004 ■■■■■■■■□□
    Have you ever seen the movie Glengarry Glen Ross? this reminded me of it
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    This is pure politics, and it's ugly. No point trying to guess why the CEO is doing this, they clearly have an agenda and unfortunately they're more powerful in this situation. They might be planning to get rid of the IT department or through someone under the bus - or who knows. It doesn't matter now.

    I wouldn't try to change a thing, stay in the company if you see it benefit you, otherwise jump ship asap. It sounds like a sinking ship anyway.

    Learn GRC! GRC Mastery : 

  • KasorKasor Member Posts: 933 ■■■■□□□□□□
    A toxic management will do more harm than good to anyone. Maybe this is the indicator for you to find a better IT job somewhere else.   Also, I am wondering what type of audit that they are focusing on? 
    Kill All Suffer T "o" ReBorn
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□

    Likely a SOC 2 type of audit, centered on PPGS (Policy, Proceedure, Guidance and Standards), first otherwise it wouldn't be much of an audit. From there you can look at the efficacy of how a small department is meeting the organizations needs, identifying gaps in everything from strategy and funding to questioning the skill level of the players involved. Maybe a fishing expedition, maybe not. Are there any compliance based needs being assessed? HIPAA, PCI-DSS, etc.

    Given the fact that management sounds toxic, means this is probably a "shot fired accross the bow", leading to a "reorganization" of the department. Without having more information, its hard to tell.

    Good luck and continuously update that resume!

    - b/eads 

  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    edited August 2020
    jah8887 said:
    The financial officer uploaded it of course with just domain admins and themselves to see the report.  I kinda know he is looking to outsource the whole IT department because the first day on the job here he said we don't need an IT department and we don't need a server room. 

    I'm not a fan of outsourcing, but there are times where outsourcing some of IT operations make financial sense.  Outsourcing the entire IT department, with the chief financial officer making the outsourcing decisions, what the worse that could happen? A lot. First time a network switch fails, with no onsite IT staff,  it could take days for a vendor look at it.  The financial officer is probably a penny pincher, he's not going to pay the extra cost of for 24/7 support, so it's next business day. Not to mention if there no spare switches onsite, it's wait for Cisco to ship you a replacement, assuming they even have Cisco equipment, Netgear is way cheaper, think of how much money we can save.

    At the absolute minimum, every company should have onsite there own domain controllers so users can log into the network and a share drive file server so users can get to there files. If off site network connectivity goes down, your business is dead in the water. A local network guy comes in handy too.

    Still searching for the corner in a round room.
Sign In or Register to comment.