[ISN] How Not to Hire an Information Security Officer Who's on Parole

From: InfoSec News (alerts@private)
Date: Thu May 01 2008 - 02:00:15 PDT


By Anonymous
CSO Online
April 23, 2008

I was having lunch last week with the senior executive for one of the 
large agencies in the government organization where I work, when I asked 
about the agency's information security officer. I'd heard that the ISO 
had left his job rather quietly and quickly a few weeks earlier, but I 
hadn't been able to get a clear answer or reasonable explanation as to 
why. This isn't as strange as it may sound. Our government organization 
is very decentralized, and the agency ISOs don't work directly for me. I 
don't have any real authority over them other than to ensure they 
institute the enterprise security policies within their agencies (but 
that's a whole different story).

The senior executive told me that he'd been meaning to bring me up to 
speed on the situation but that it was very complicated, and after the 
ISO left, he didn't feel a sense of urgency to close the loop. Because 
the senior executive was relatively new in the position, he'd spent some 
time trying to get to the bottom of the whole situation himself. My 
antennas were now wagging in anticipation.

Here's the rest of the story. This employee had been quickly hired about 
a year ago to fill a critical vacancy. The agency was preparing for a 
couple of fairly extensive federal audits and also needed a security 
manager to mitigate some critical vulnerabilities from a recent 
vulnerability assessment and other new enterprise security requirements 
that I had recently initiated. This particular ISO quickly became one of 
the more proactive and effective security officers in the more than 20 
agencies in our government organization. In fact, he was one of the 
leaders whom I held up as an example to others because he took the 
initiative to stay in front of his agency's security problems.

Then one day about eight weeks ago, the HR director from this particular 
agency had received a call from a county probation officer, who said 
that one of his probationers was employed and had been lying to him. He 
was angry and told the HR director that he suspected this person had 
been lying to the agency as well.

Guess who the employee was.

Oops, We "Forgot"

This revelation was a bit of a shock to both the HR directorand the 
senior executive, because they weren't even aware that the employee had 
legal problems.let alone that he was on probation. He was, after all, 
just the information security officer! After some investigation and 
discussion with the probation officer, they discovered that after being 
convicted of felony embezzlement, this employee had been released from 
prison mere weeks before being hired as a public servant in this public 
agency. OK, fellow CSOs and CISOs, can you see where this is headed? Are 
you beginning to perspire?


Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu May 01 2008 - 02:07:43 PDT