CSO magazine had a great article some time ago that I came across again entitled, How Not to Hire an Information Security Officer Who’s on Parole. After it describes some true-life hiring horrors, it provides some good points to remember about hiring:
- Require basic background checks for everyone, permanent and temporary.
Even companies that are religious about checking out permanent staff don’t check the temps. So which group do you think is the higher risk? So why don’t they do it? Sometimes a simple Google search (I also recommend pipl) will do it.
Before I interview anyone, I always search what the Internet has on them. I remember one DBA that had recently been evicted from her apartment (this was many years ago, before the economy sank).
- Require a deeper level of background checks on those who will have higher positions of trust (admins, security pros, auditors, people with access to cash or critical financial accounts, trade secrets, etc.).
No background checks were done on me when I was an systems or network administrator or even when I was a CSO for a Fortune 500. And none have ever been done when I’ve audited companies, with two exceptions (I know this because I never was asked to sign such a release).
Both of the exceptions were for consulting work. The first was for a consulting firm that was never able to place me; the second was for one of the firms at which I was placed by a different consulting firm that never checked my background.
In my mind, auditors should be scrutinized as much or more than admins or security pros because auditors are granted access to everything. Meanwhile, admins and security pros know a lot of ways to get around controls or break security software.
But when you have auditors who are former admins and security pros, that’s a dangerous combination–a person who’s has access to everything (including how the controls work, network diagrams, and all the security configs) and knows how to dig into networks, servers, and applications. The funny part is that it’s all detailed on the auditor’s resume, but consulting firms and hiring managers can’t add 1 + 1 until it’s 2 late.
- Ensure the hiring policy is specific about info in a background check will disqualify a person from certain jobs.
- Ensure the hiring policy requires an updated background check every 3 or so years for those with higher positions of trust.
Like presidents, people change. Usually not overnight, but over a period of time as events, opportunities, skills, and stupidity accumulate. Background checks need to be updated occasionally.
Remember: Whenever you sign a release for a background check, always ask for a copy. You won’t get refused. Not only will it give you an outsider’s look at yourself, you might find some data that needs to be refuted. Getting a copy will also indicate how deep the check went into your background.
Have any good stories to share about hiring mistakes or background checks? Leave a comment.