For those tasked with managing risk throughout the enterprise, and who follow my blog postings, you’re familiar with a theme I stress often regarding information security best practices: “An ounce of prevention is worth a pound of cure.”
For practitioners and managers tasked with enterprise risk management, you can apply this approach to all your decision-making, whether you’re looking to make new technology purchases, implement new policies, and, perhaps most importantly, hiring new people.
The potential damage caused by a rogue employee in government could be much more dangerous than in other sectors due to the critical infrastructure component and its potential impact on life or death situations.
We have all read articles about the organizational atrocities that result from the actions of a disgruntled or rogue employee and how those actions can compromise cybersecurity. With “insider threats” at the top of any information security manager’s list of top concerns, there is a way to help minimize the risk of employees going rogue at the bottom level – during the interview.
As an IT manager for over 15 years, I had many opportunities to interview candidates, and, fortunately, no one that I hired ever went rogue in terms of acting with malicious intent. But circumstances change over the years, and different economic, political and professional pressures impact people differently. Hiring personnel need to be increasingly aware of how a candidate sees him/herself in relation to the circumstances of life and his/her ability to cope.
The federal government is in the position of needing to greatly increase its hiring of cyber professionals in the federal workforce to meet an unprecedented demand for people in this field, but let’s not forget that haste makes waste. In our rush to hire qualified people, we must avoid those candidates who are noticeably susceptible to life’s pressures and who may demonstrate unpredictable behavior as a result.
Here are some basic red flags government hiring managers should look for during an interview with a potential candidate:
- Does the candidate appear to be overly stressed about the economy or the current economic status of his/her family?
- When asked, “If I call your former employer, what will they say about you?” or “What will we find in your background check?” — how does the candidate respond? Do these types of questions visibly increase the candidate’s anxiety level?
- Has the candidate ever been required to subscribe to a code of ethics? If a candidate holds a certification in good standing, they were likely required to subscribe to a code of ethics in order to get certified. Ask if their ethics ever been questioned?
- What is the candidate’s opinion of hacking? Do they consider it as the ends justifying the means? What perspective do they place on testing in general?
- Review the candidate’s records of employment closely to see how quickly they have moved up the ladder. Just how ambitious do they appear?
Equally important to identifying the red flags during an interview is completing a due diligence checklist and making sure you are 100 percent comfortable with the information you uncover about a candidate.
The government has been deploying the “clearance” practice for decades that serves as an excellent model for uncovering a candidate’s potential areas of compromise, but the expense of the clearance process is prohibitive, and its use is typically limited to sensitive environments.
For all other environments, I recommend that the following list be checked:
- Conduct background checks and credit checks. If background checks are not budgeted, find the budget to support a thorough background check that is conducted by a reputable company.
- On-line searches. These days, with the power of search engines, it is very difficult to hide behavior and opinions. If a candidate’s name delivers a breadth of related content, take the time to read several search pages deep.
- YouTube videos. Let’s not forget that most every mobile device serves as a handheld video camera. While the candidate may not always tag him/herself in questionable videos, their friends/associates often do, making related video content easy to find.
- Social networks. Sites such as LinkedIn, Facebook and Twitter can reveal information that was not disclosed on a resume or can verify that what a candidate provides you matches the information he/she provides to the rest of the world. Accountability is key.
- Verify certifications. Confirm that the candidate holds the certification(s) they claim to hold. As the world’s largest certifying body, we encourage those seeking to hire our members to verify their credentials. Other certifying organizations should do the same. To verify an (ISC)2 credential holder, go to this page on isc2.org.
Finally for hiring managers, even if you have never had an employee go rogue, you will likely expend a lot of time and energy on personnel you once believed to be hire-worthy candidates, only to find out that they misrepresented their overall personality traits and their ability to interact as a team player or adapt to organizational change.
These people will ultimately face termination if they refuse to take direction. Remember that this also represents an increased risk to an organization if you do not have a security-minded termination process in place. Not sure that your agency’s process is security-minded? Keep an eye out for my upcoming advice on the security measures critical to an organization’s termination policy.
W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former Chief Information Officer of the U.S. Department of Interior and recipient of the President’s Distinguished Rank Award. He writes regularly for Breaking Gov and serves on its board of editorial advisors.