Avoid Hiring Paroled Auditors and CSOs

CSO magazine had a great article some time ago that I came across again entitled, How Not to Hire an Information Security Officer Who’s on Parole. After it describes some true-life hiring horrors, it provides some good points to remember about hiring:

  • Require basic background checks for everyone, permanent and temporary.

Even companies that are religious about checking out permanent staff don’t check the temps. So which group do you think is the higher risk? So why don’t they do it? Sometimes a simple Google search (I also recommend pipl) will do it.

Before I interview anyone, I always search what the Internet has on them. I remember one DBA that had recently been evicted from her apartment (this was many years ago, before the economy sank).

  • Require a deeper level of background checks on those who will have higher positions of trust (admins, security pros, auditors, people with access to cash or critical financial accounts, trade secrets, etc.).

No background checks were done on me when I was an systems or network administrator or even when I was a CSO for a Fortune 500. And none have ever been done when I’ve audited companies, with two exceptions (I know this because I never was asked to sign such a release).

Both of the exceptions were for consulting work. The first was for a consulting firm that was never able to place me; the second was for one of the firms at which I was placed by a different consulting firm that never checked my background.

In my mind, auditors should be scrutinized as much or more than admins or security pros because auditors are granted access to everything. Meanwhile, admins and security pros know a lot of ways to get around controls or break security software.

But when you have auditors who are former admins and security pros, that’s a dangerous combination–a person who’s has access to everything (including how the controls work, network diagrams, and all the security configs) and knows how to dig into networks, servers, and applications.  The funny part is that it’s all detailed on the auditor’s resume, but consulting firms and hiring managers can’t add 1 + 1 until it’s 2 late.

  • Ensure the hiring policy is specific about info in a background check will disqualify a person from certain jobs.
  • Ensure the hiring policy requires an updated background check every 3 or so years for those with higher positions of trust.

Like presidents, people change. Usually not overnight, but over a period of time as events, opportunities, skills, and stupidity accumulate. Background checks need to be updated occasionally.

Read the full article here.  Also, if you’re in audit or security and you don’t subscribe to CSO mag, you’re making a mistake. It’s free.

Remember:  Whenever you sign a release for a background check, always ask for a copy. You won’t get refused. Not only will it give you an outsider’s look at yourself, you might find some data that needs to be refuted. Getting a copy will also indicate how deep the check went into your background.

Have any good stories to share about hiring mistakes or background checks? Leave a comment.

4 Comments

Filed under Audit, Employment, How to..., Security

4 responses to “Avoid Hiring Paroled Auditors and CSOs

  1. There was a case a couple of years ago where SAICA (South African Institute of Chartered Accountants) awarded a bursary to a convicted rapist. (He managed to get 7 As in his matriculation exams) The argument put forth was that rape, unlike fraud, does not impact an auditor’s ability to carry out a proper audit. The decision did not go down well on some people, while others were of the opinion that even convicts deserve a chance to redeem themselves.

    Like

  2. AFAIK, he was convicted of statutory rape. (He claimed it was consensual.) So idk. The problem is SA has a shortage of skilled labour, especially chartered accountants… so I guess it all comes down to supply and demand.

    Like

    • ITauditSecurity

      Thanks for the follow up, aimzy waimzy. I guess an employer will have to determine whether it wants to accept the risk. I do believe in giving people the chance to redeem themselves. but I’m still not sure about this one. Supply and demand often trumps all kinds of issues, no doubt.

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s