How Not to Hire an Information Security Officer Who's on Parole
After learning that HR "forgot" to do a background check on a security staffer with a felony record, a leader reexamines his organization's policies
April 23, 2008 — CSO —
I was having lunch last week with the senior executive for one of the large agencies in the government organization where I work, when I asked about the agency's information security officer. I'd heard that the ISO had left his job rather quietly and quickly a few weeks earlier, but I hadn't been able to get a clear answer or reasonable explanation as to why. This isn't as strange as it may sound. Our government organization is very decentralized, and the agency ISOs don't work directly for me. I don't have any real authority over them other than to ensure they institute the enterprise security policies within their agencies (but that's a whole different story).
The senior executive told me that he'd been meaning to bring me up to speed on the situation but that it was very complicated, and after the ISO left, he didn't feel a sense of urgency to close the loop. Because the senior executive was relatively new in the position, he'd spent some time trying to get to the bottom of the whole situation himself. My antennas were now wagging in anticipation.
Here's the rest of the story. This employee had been quickly hired about a year ago to fill a critical vacancy. The agency was preparing for a couple of fairly extensive federal audits and also needed a security manager to mitigate some critical vulnerabilities from a recent vulnerability assessment and other new enterprise security requirements that I had recently initiated. This particular ISO quickly became one of the more proactive and effective security officers in the more than 20 agencies in our government organization. In fact, he was one of the leaders whom I held up as an example to others because he took the initiative to stay in front of his agency's security problems.
Then one day about eight weeks ago, the HR director from this particular agency had received a call from a county probation officer, who said that one of his probationers was employed and had been lying to him. He was angry and told the HR director that he suspected this person had been lying to the agency as well.
Guess who the employee was.
Oops, We "Forgot"
This revelation was a bit of a shock to both the HR directorand the senior executive, because they weren't even aware that the employee had legal problems—let alone that he was on probation. He was, after all, just the information security officer! After some investigation and discussion with the probation officer, they discovered that after being convicted of felony embezzlement, this employee had been released from prison mere weeks before being hired as a public servant in this public agency. OK, fellow CSOs and CISOs, can you see where this is headed? Are you beginning to perspire?