The Security Job Search: Something's Gotta Give

When last we met (in the January column), I was regaling you with the tale of my ever-so-intriguing job interview for a CSO position. Having been grilled by a particularly spirited "selection committee," I had headed home to do some serious soul-searching. Between you and me, I wasn't even sure I wanted this job.

But as months passed without a word from the committee, I realized that the choice wasn't totally mine to make. I hadn't seen eye-to-eye with the VP in HR—I was critical of his reluctance to do background checks and hinted that the company's encounter with workplace violence may have been related to thatand I was now convinced he had persuaded others that I was a loose cannon.

So you can imagine my surprise when, out of the blue, I got the call from the EVP of the company. "If you still want it, the job is yours," he said.

You know the feeling: When you don't have something, you want it badly, but then when you get it, you're suddenly not so sure. I decided I needed to slow down and take an inventory of what I was really getting myself into. "Uh, can I come back out there to talk with you and make sure we're on the same page?" I said, stalling for time.

"Good idea," he returned.

And it was a good idea. I had anticipated fireworks with several members of the selection committee, and as it turns out, the fireworks had already begun. The CSO positionor more specifically, putting me in the CSO positionhad apparently been the focus of some intense conversations among committee members. The EVP wanted me to feel confident, however, that I was his clear choice. He assured me that the CEO had backed the decision. With that kind of clout behind me, he said, I'd have no trouble bringing about the changes that were long overdue.

"What's my biggest challenge?" I asked as we sat face-to-face at corporate headquarters.

"There are a helluva lot of self-serving prima donnas around here," the EVP told me candidly. "The senior manager in HR is very powerful..."

Righto, I thought. The HR guy had it out for me right from the start.

"...and he uses his influence on a number of others, including the legal counsel and chief auditor," he continued. "But the CEO and I agree. We think you're the right person for this job, and we're prepared to offer you a very handsome package in order to convince you to join us."

I was more than blown away by the offer, and the "package" made even my bride a believer. I accepted, and my new boss was delighted. "Welcome aboard!" he said, heartily. "And get ready to help us address some really important issues."

But I kept wondering if those important "issues" and the handsome "package" ought to be telling me something.Star SystemFirst week on the job and my relationship with the HR group is predictably hostile, reflecting the view of its leader. I've made no headway there. And the IT folks see security in a very isolated way; they have no time for us.

From a business perspective, there's no ownership for risk management anywhere that I can see. No policies. No structured expectations. Security is always somebody else's problem.

And then there are the Princes, the Esteemed Ones. The chosen few who soak up the bonuses while running roughshod over the little people. IT has its whiz kids. The sales group has its rainmakers. Elitism is a cultural phenomenon that management believes motivates, raises the bar and encourages excellence.

Top management is all about "making the numbers." And being a global player, we're faced with God-knows-how-many interpretations of the word ethics.

So I start to lay it out for my boss, the EVP, who stops me before I have a chance to begin. "Rather than tell it twice, let's go tell the CEO together," he says confidently.

Standing before them both, I sum up my findings. "First, our people have no clear understanding of your expectations about what it means to do the right thing. We have no policy infrastructure to guide training and behavior, so too many employees model the bad behavior of their bosses. And there's no accountability, so vulnerabilities go unattended. Finally, I suspect there's little buy-in for change because the rank-and-file see all the rewards going to a precious few. In my view, there could be a lot going wrong around here, but it's too dangerous to speak up."

They eye one another reluctantly. "Um, thanks, I guess," says the EVP.

"Well, you wanted him to tell it like he saw it," the CEO says back to him. Then he turns to me and asks, "So what now?"Stark RealitiesDuring the next few weeks, I work with the security team to help develop a program that engages the board and the CEO in sending a variety of messages to employees and managers regarding their accountability for managing risk and creating respectful workplaces. We then do a top-down review and rewrite our business conduct policies. Then we draft a training program for all managers and hold small group meetings to discuss expectations and encourage confidence. Finally, the old employee hotline is recrafted to support confidential reporting of employee wrongdoing or abuse.

HR is key to this whole program, but many of the HR managers have difficulty being overtly supportive. Many of these problems are on HR's plate, but the HR honcho is a favorite child and will probably be here long after I'm gone. I've found myself in some sort of a Shakespearean tragedythe star system will provide my undoing.

Early one morning, an analyst who reviews hotline messages comes calling. It seems an anonymous tipster has alleged that the top salesman has been padding his T&E expenses. She knew his schedule and saw one of his expense forms. "If you're really serious about doing the right thing," she teases, "then you might want to take a look."

We quietly gather a year's worth of his forms for an in-depth audit. Which isn't that easydon't forget, we had to request these documents through the disobliging chief auditor. I am pleasantly surprised when he (even if begrudgingly) concedes them.

Within a day, it's clear that virtually every report has fraudulent claims in the thousands of dollars. We find fabricated receipts for family trips that are plainly not related to business. He's put in for losses at casinos and fees for escort services. He even got subordinates to agree to cover his expenses on their own T&E forms, all with his approval. We stopped for a moment at the $335,000 mark just to catch our collective breath.

And then things get interesting.

Turns out this guy was a star hire of Mr. HR, who also happened to be one of the more frequent beneficiaries of this guy's entertainment largesse. And the EVP of sales, who approved the expense reports, is the personal protégé of the CEO and, in fact, is the CEO's selection for his own successor.


It is also noted with some melancholy that this Jesse James of sales has several of our anchor contracts on his watch. Moreover, it seems he never executed a nondisclosure or noncompete agreement on arrival.

We agree that he will be interviewed and confronted with our findings.As You Like ItWe meet at my office with another investigator at my side. Our sales hero comes alone, wielding an arrogant swagger. As we go through the items, he defends some allegations, blames his assistant for others and, when indiscretions are obvious, outright lies. Finally, he looks at his watch, gets up and advises, "I've better things to do than go through this absurd harassment."

As he leaves, I hear myself saying to his hindside, "I guess it's OK with you if we check everything from the last two years?"

I advise my boss where we are, and we call a meeting to lay out the findings to date and the perpetrator's obvious lack of candor throughout the interview.

CEO: "Have we made the T&E rules clear?"

Me: "The basics are clear. There is an affirmation of truth in the signing and a supervisory sign-off, but we haven't done a great job of defining the specifics of what is and isn't allowed. In this case, though, many of the items are well outside the most liberal definition of permissible."

EVP of Sales: "Well, he can explain a lot of this stuff. I trust him, and I will point out that he is personally responsible for 30 percent of our annual sales for the past three years...."

CEO: "Now there's a commitment to managerial oversight! And what of our ability to protect our proprietary information?"

VP of HR: "He's never signed a nondisclosure. He came to us with glowing reports."

CEO: "Did we do a background review?"

VP of HR: "Like I said, he came with glowing reports. I called a few of my colleagues and checked on prior comp. I'm uncomfortable delving further into personal histories."

CEO: "So where do we go from here?"

Me: "I'd guess this guy is done talking to us without a lawyer. As far as I'm concerned, he's a thief and liar who owes us several hundred thousand dollars. We owe him a ton of back comp on shares and current bonus that would more than cover what he's stolen. My recommendation would be to fire him and not pay him a dime of what's in the bank."

EVP of Sales: "That's easy for you to say. He walks off with a major portfolio of our revenue, and we sit here waiting for the other shoe to fall."

CEO: "Really? Don't be too sure about who's going to be sitting here when all this comes to a head."

Hmmm. Maybe I'm not going to be the tragic figure in this drama after all. n


Copyright © 2004 IDG Communications, Inc.

What is security's role in digital transformation?