In a post I wrote last year titled, "Insider Threat Likely More Pervasive Than You Think," I cited an article on Computerworld that did a great job of demonstrating that the likelihood that you have a bad apple among your IT workers is likely much higher than you suspect. So it's important to consider what you can do to prevent those bad apples from dropping into your organization in the first place.
In that post, I made an observation about how essential it is to avoid adversarial relationships in order to help minimize the insider threat:
Adversarial relationships are unhealthy, and companies need to be much more willing to consider how their actions impact the lives of their employees, and how those actions might compel their employees to engage in uncharacteristic behavior.
In fact, the need to avoid adversarial relationships begins at the pre-employment screening stage, and should be core to a company's interviewing process. In our forthcoming book, "Spy the Lie: Former CIA Officers Teach You How to Detect Deception," those former CIA officers and I have elaborated on this advice. In this excerpt from the book, "Phil" is Phil Houston, the 25-year CIA veteran who developed the deception-detection model we're teaching:
When word of the effectiveness of the model began to spread through the CIA, a senior Agency officer came to Phil and said he wanted to see firsthand how it works. The senior officer chose to sit in on a screening interview that Phil conducted with a young man who was applying for a position as a contractor. As Phil proceeded with his questioning, he identified behaviors that led him to probe more deeply into certain areas to elicit more information. Before long, the applicant admitted to being a recreational drug user, and said he used marijuana and cocaine on a fairly regular basis. As the interview progressed, he admitted that he was also an occasional drug dealer. In fact, he said he had made a profit of about $1,500 on the sale of some coke just within the past several weeks. He went on to admit that he had stolen a stereo system worth about $500 from a local retailer, and that he had broken his girlfriend's collarbone during an argument about six months earlier.
When the 30-minute interview ended and the applicant was leaving, he turned to Phil and asked, "When will I know if I've gotten the job?" Phil glanced over at the senior officer, who had an incredulous look on his face. Phil suppressed a grin. "It shouldn't be more than a couple of weeks," he said. "We'll be in touch."
What the senior officer observed was not only the effectiveness of the model in obtaining truthful information, but that it's implemented in a way that's totally non-confrontational, with no one feeling belittled, and without putting the interviewer or his organization in harm's way. The idea is that when the individual walks out, he's given you what you wanted, and he feels good about what he's done, because he doesn't see you as an adversary. You've simply helped him to do the right thing, and he's maintained his dignity.
Houston explains that the very same technique is used with equal effectiveness regardless of whether the interviewee is a job applicant, a terrorist or a suspected spy. When you consider how much damage a rogue employee on the inside can do, using techniques that have proven to be effective in minimizing some of the most serious threats imaginable isn't a bad idea.