Home » Security Leadership » Career/Staffing

How Not to Hire an Information Security Officer Who's on Parole

After learning that HR "forgot" to do a background check on a security staffer with a felony record, a leader reexamines his organization's policies

While my first thought was, Are you kidding me? my first question to the senior executive was, "Do you have a policy for conducting background investigations, and do you follow it?" The answers were "Yes" and "Usually." In the haste to get someone hired, a former HR staffer had simply forgotten the background check portion of the hiring process. There was obviously no checklist to make sure that all components of the process were completed.

One of the most important things an organization can do during the hiring process is to conduct a background check. This is especially critical for those in positions that require a high degree of integrity and ethics. It does all of us a great deal of harm to have someone in our midst who causes our credibility to be questioned. I also believe that we should raise that bar for employees who hold a position of trust or have access to critical systems and information—employees such as information security officers. Background checks won't necessarily eliminate fraud or ethically challenged employees, but the process might lead us to ask some hard questions before actually hiring a person, or at least give us some insight into his or her prior work or personal history.

Hiring Horrors

We've all heard the statistics that somewhere around 50 percent of all information security incidents are caused by the insider threat. These aren't all malicious in nature, of course, but a substantial number of them are. A number of recent cases make the hair on the back of my neck stand up, including: The woman who thought she was going to be fired from her job at an architectural firm, so she deleted seven years' worth of architectural blueprints and drawings estimated to be worth $2.5 million.

The guy who planted a logic bomb on the St. Cloud (Minnesota) Hospital computer system that activated several months after his departure, disabling the program he had created.

The Georgia state agency worker who was charged in 2005 with computer intrusion and theft after accessing Georgia drivers' license files outside of work hours and without authorization.

The former DuPont scientist who pled guilty to theft of trade secrets. After discovering that the scientist was the second most active user of the company's database, DuPont found that he had accessed thousands of documents with the intent of giving them to a competitor.

Would a background check have turned up something to make any of the employers question the morals or ethics of these employees? Maybe or maybe not, but at least the companies could have answered with a straight face questions about how well they vetted the employees.