Tips on Detecting Deception in Your IT Organization

Don Tennant

If you had to identify one characteristic that’s more important than any other for an employee in your IT organization to possess, what would it be? Creativity? Resourcefulness? Brilliance? You can rattle off admirable traits from now till the cows come home, but you’ll never come up with one that’s more essential than this one: trustworthiness.

No matter how you slice it, trustworthiness — or you can just as easily think of it as truthfulness or honesty — is the foundation of every other quality or virtue you could wish for in a coworker. That reality has really crystallized for me over the course of the past month, as I’ve had the chance to speak with media outlets and others about the book I co-wrote with some colleagues from the intelligence community, “Spy the Lie: Former CIA Officers Teach You How to Detect Deception.” It’s been kind of surreal, because the book became a New York Times bestseller within a few days of its release on July 17, and when it hit the No. 10 spot on Amazon (ahead of “The Hunger Games,” if you can wrap your head around that), we knew we’d struck a pretty huge chord.

And nowhere does that chord resonate more loudly than in an IT shop, where the keys to the organization’s vital information assets are held. I’m well aware that the seriousness of the internal threat is lost on very few people reading this blog, so there’s not a great deal of value I can add by pontificating on that. What might be of some use, however, is to consider what steps you can take if the security of your systems is breached internally. At or near the top of that list has to be identifying the perpetrator, so a repeat performance can be avoided.

Typically when an internal security breach occurs in a small- or medium-size business, there are relatively few people with the system access that would make them suspects. If your position is one that requires you to speak with these individuals in the damage mitigation process, your task is not an enviable one. So a few tips might be in order.

Obviously, there’s no way for me to provide any sort of comprehensive overview here of what we present in “Spy the Lie.” But what I can do is convey two essential ideas that you should bear in mind if this situation ever arises.

First, it’s absolutely essential that your encounters with the employees you question be non-confrontational. Your goal in speaking with each individual is to obtain truthful information, and your chances of obtaining it drop dramatically if the encounter is adversarial. A calm, understanding demeanor creates an environment in which the individual can respond to your questions and give you what you need without the ordeal of a conflict, and the individual is able to leave the encounter with his dignity intact.

Second, it’s equally essential that you ask the right questions, the right way. We devote a great deal of attention to this topic in the book, but I can convey the thrust of the idea by presenting a simple scenario.

Let’s say a new laptop went missing from a storeroom the day before. Sam is one of five people who had access to the storeroom, which they rarely have occasion to enter. Suppose you begin your encounter with Sam by asking, “Do you know anything about the missing laptop?”

Now, if Sam stole it, and he has made the decision that he’s going to lie about it, he was prepared for that question, and he has a ready response for it: “No.”


You’ve gotten nowhere. Suppose, instead, you ask, “Sam, what happened yesterday?” If Sam is innocent, he’s likely to respond immediately with something like, “All I know is one of the new laptops was stolen.” If he’s guilty, he has to process the question. He has to try to figure out what you might know, and determine how that will impact his game plan. And that will take some time.

This type of question is a presumptive question — one that presumes something related to the matter under discussion. In this case, the presumption is that Sam has some information about the stolen laptop that he hasn’t shared.

Suppose you follow up by asking, “Sam, is there any reason anyone would tell me you were in the storeroom around the time the laptop went missing?” Innocent Sam isn’t bothered by the question. But guilty Sam is probably uttering a silent expletive. His mind starts racing as he tries to remember whether there was any chance he might have been seen. Finally, he attempts to cover himself: “Now that you mention it, sometimes I do go into the storeroom just to look around, and I probably wandered in yesterday.” Of course, that doesn’t tell you that Sam stole the laptop, but you’ve placed him at the scene of the crime. You know you have more work to do with Sam.

The second question was a bait question — one that establishes a hypothetical situation and is designed to trigger a mind virus in a deceptive person. Presumptive and bait questions are extremely powerful, but care has to be taken that they not be overused in a single encounter, and that they’re delivered in a very neutral, matter-of-fact manner.

If you have any questions or comments about any of this, I’d value hearing from you.



Add Comment      Leave a comment on this blog post
Sep 5, 2012 2:27 PM R. Lawson R. Lawson  says:
The majority of the "deception" I come across in daily life isn't some vast conspiracy, but the massaging of data to present things in a better light. From ROI calculations to time-to-completion estimations, data seems to often be framed in a manner that supports what we desire as opposed to reality. In IT we desire a huge ROI on a project, so the numbers are inflated or presented as the best case scenario as opposed to the likely scenario. And I guess in today's political season, we are bombarded with lies or deceptions daily from both sides. Politicians feel free to lie, industry groups, lobbyists, and think tanks all routinely lie. We even see people today claiming to be academics or inflating their credentials to elevate their status. We are surrounded by lies. If our lives weren't so influenced by these lies, I would probably just roll my eyes and let it go. But policy and business decisions where money, jobs, and reputations are on the line don't allow us to simply ignore them. I guess my biggest complaints about the liars is how the media will catch them in a lie, but allow them to continue the spread of their lies. Why is this? Reply
Sep 5, 2012 2:28 PM R. Lawson R. Lawson  says:
It's a great book, I've enjoyed reading it. I knew it was doing well, but to be up against Hunger Games!!! That is fantastic. Reply
Sep 6, 2012 11:18 AM Don Tennant Don Tennant  says: in response to R. Lawson
Thanks, Roy. It was only briefly that we rose above Hunger Games, but we were there ... glad I had the presence of mind to take a screen shot ... Reply
Sep 10, 2012 9:55 AM Dieter Georg Dieter Georg  says:
Many years ago I got interested in NLP, specifically ability to read people's mind processing via their eyes, as I found it to be very useful in meetings and work related interviewing of people. While I don't believe NLP is the sinister tool (aka CIA) or mind manipulation (aka ExWife) it is made out to be, learning how people process information or questions by watching their eyes and body language, then being able to follow-up and/or drill-down with even more specific questions to get to the truth (and beyond deception - or in case of IT, exaggeration ;) was extremely helpful throughout my career as an IT consultant (especially when doing technology due diligence for VCs and M&As). Reply
Sep 12, 2012 5:33 AM Alex Alex  says:
Though the topic of this article would promise a valuable set of tips indeed, the execution is little more than a shameless book plug. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.