Should the CISO protect the organization against whistleblowers?

No, CISO should create an environment where security incident and corrective actions are reported on timely basis.

I agree with Hilary Walton  ... its more about the culture than the repercussions, when reporting security incidents is associated with a positive stroke of making the organization more secure, the act of reporting is rewarded when appropriate action is taken. It makes the company as a whole more secure. It works better in the long term. What is essential is to establish formal well defined reporting mechanisms that maintain anonymity (if required) and enable corrective action. 

No, rather the culture of the organization should be one that actively supports the reporting and corrective response to items that without positive action, would result in whistleblowing activity.  If the reported issues touch security, they should be brought to the CISO for review, and changes made to either reduce or eliminate that risk to the company, the brand, and the people involved.

I think CISOs should create a culture where it's not whistle-blowing, it's just reporting security events.

Not without guidance from your legal department. There are serious legal and regulatory considerations specifically against whistleblower backlash that can incur serious penalties. This is really a legal question, not a CISO-driven decision.