Security job candidate background checks: What you can and can't do

Enterprise cybersecurity begins with a trustworthy staff. Here's how to ensure that current and prospective team members aren't hiding any skeletons.

A virtual sphere of photos of individuals appears against a cityscape.
Metamorworks / Getty Images

Security team members are the principal defenders of enterprise cyber assets. It makes sense, then, to verify that current staffers and potential new hires aren't hiding secrets that could place essential systems and data at risk.

Unfortunately, conducting thorough and meaningful background checks isn't easy or straightforward. Even if an individual consents to a background investigation, regulations designed to protect staff and applicants from unwarranted snooping and employment practices can make it challenging to delve into an individual's personal, academic and professional history. Still, by asking the right questions and using just a few available tools, it's possible to detect someone who might someday do something to compromise enterprise cybersecurity.

What to learn from the interview process

Below are a few key questions that should be answered during the interview process.

Actions taken that affect security 
The goal of any background investigation is simple: to assess an individual’s trustworthiness. A subject's integrity must be firmly established prior to granting access to facilities, systems, and sensitive information.

A good way to begin the process is by simply asking the individual if he or she has ever taken any actions, intentional or accidental, that may have affected enterprise, system, or data security. "If a candidate or employee doesn't fully self-disclose an issue, or only discloses it when confronted, it raises doubt concerning their judgment, trustworthiness, and reliability," says Jim Onusko, strategic federal solutions director for LexisNexis Risk Solutions and a former acting director at the US Office of Personnel Management. "This is especially true if they intentionally omitted adverse information on a questionnaire or haven't complied with established reporting requirements."

Demonstrated behavioral skills
A strong trustworthiness indicator is whether an individual possesses the necessary behavioral skills to join a security team. "Employees, even when working remotely and independently, need to display behaviors that are a strong fit with the culture and expectations of the organization or they will eventually become a liability, a resource drain, and a demotivating element within their team," explains Lisë Stewart, a principal at accounting and business advisory firm EisnerAmper. Therefore, when checking the background of any current or prospective security staffer, it's always a good idea to investigate how current and past colleagues view the individual.

As a rule of thumb, someone who gets along well with management and co-workers, is a good communicator, and is committed to their work, is far more likely to be committed to enterprise security than a loner or complainer. "A mistake that's commonly made, particularly when hiring people in high tech roles, is putting all the emphasis on their technical skills," Stewart says. "In reality, we're more likely to fire an employee because of their behaviors, rather than their technical ability, much of which can be taught."

Approach to handling security challenges
Ryan Schonfeld, CEO of security monitoring and management firm RAS Watch, stresses the importance of holding earnest discussions with current and prospective team members. "Take the time to find out how they’ve approached security challenges in the past—are they focused on traditional methods, or do they look toward more modern efforts?" he advises. "If you take this approach when you hire someone, you will know who they are, not just what they put on their application and resume."

What you can’t ask a security candidate

Since security team members hold positions of immense trust, it can be frustrating when legal prohibitions limit the types of questions employers can ask, particularly anything regarding a candidate's human rights. "You're not able to ask about lifestyle, age, marital status, disabilities, religion, and so on," Stewart warns.

A mistake frequently made during the COVID-19 pandemic, usually directed at women planning to work from home, is asking how children will be managed during the workday. "While the employer may be concerned ... about an applicant’s home environment, child-care plans cross the line and can be seen as discriminatory," Stewart explains. "A better way to explore this issue might be to ask: "Do you envision any barriers to being able to perform this role during the hours indicated?”

Perform an effective, compliant background check

Employers must carefully follow proper steps before launching a background check on an employee or job applicant. An organization must, for instance, disclose that it will likely use a consumer credit report and other background resources to help it make decisions during the investigation. The disclosure document must be presented to the individual in writing and in a standalone format—it can't be part of an employment application. In general, all enterprises must comply with all Fair Credit Reporting Act (FCRA) and US Equal Employment Opportunity Commission (EEOC) requirements, as well as relevant state mandates.

As the background check gets underway, the enterprise is obligated to strive for maximum accuracy. "This means checking publicly available documents, such as criminal and civil court records, verifying employment with prior employers, or validating a degree obtained from a university," explains David Garcia, CEO of recruitment background check firm ScoutLogic. Meanwhile, a growing number of organizations are examining social media to learn more about current and prospective security team members. "It's important to have a corporate policy that guides this process, so these efforts are controlled and applied equally," Schonfeld advises.

Biometric data-check technologies, such as fingerprinting, retina, and hand scans, and facial geometry and voice recognition, are permissible as long as the subject agrees to their use. These stringent security measures can also be used in combination with passwords and other identity verification methods to limit access to specific levels of enterprise systems and data.

Six steps to complete background verification 

Joseph Ferdinando, founder of BuildingSecurity, a security firm specializing in protecting personnel, systems, and equipment, sees an effective background check having these six steps:

  1. Reference check: A reference check should confirm, with applicant-supplied sources, all information listed on the individual's application or resume.
  2. Identity confirmation: This validates the individual's identity and confirms that basic personal information has not been misrepresented. A birth certificate, driver's license, passport, or other official document can be used to provide identity proof.
  3. Court record check: A thorough court record check establishes that the individual isn't hiding any past wrongdoings.
  4. Address corroboration. Someone who fails to provide a genuine street address is likely trying to hide something. When corroborating an address, it's important to confirm that the location is the individual's real home and not the residence of a friend or relative or a commercial mail drop.
  5. Education verification: This step confirms the authenticity of a degree, diploma or certificate, as well as the accuracy of claimed courses, grades and honors.
  6. Database check. Scanning country-specific and global databases can reveal if an individual has been involved in any activities linked to fraud or other types of crimes. A database check can also expose if the subject has ever had any links to organized crime or if they hold a risk related to legal, reputation, or compliance areas.

Onusko believes that it's ultimately up to CISOs to use the resources at hand to ensure that their teams are loyal and trustworthy. "In today’s emerging digital world, embracing the latest technology to ensure identity verification, detection of counterfeit documentation, and identifying questionable behavior in digital spaces are key factors," he says.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)