When you consider how potentially harmful the insider threat is to any company or government organization, it becomes painfully clear how crucial it is to avoid making a bad IT hiring decision. So what can you do to give your company the best possible chance of preventing a bad IT hire from ever getting close to your systems?
According to Susan Carnicero, a former CIA security officer and an expert in deception detection and employment screening, the answer lies in taking a "whole-person" approach to the hiring process that includes a security focus. Carnicero made that point as a speaker at last week's 5th Annual North Carolina Higher Education Safety E-Symposium at East Carolina University in Greenville. The event was co-sponsored by QVerity, a security company that conducts employment screening and provides training and consulting in the detection of deception and interviewing techniques. Carnicero is a founding partner of QVerity, and in the interest of full disclosure, let me note right up front that I'm also a partner in the company.
In her presentation, Carnicero said companies tend to focus on "screening in" people who have specific skills and experience that meet the needs of the company, without an equally strong emphasis on "screening out" people who bring with them what she calls "lethal factors and characteristics" that could harm the company.
According to Carnicero, a company should determine what characteristics it considers to be lethal (typically such negative qualities as dishonesty or intolerance), and employ a methodology to screen people who exhibit those qualities out of the candidate pool.
Carnicero has conducted thousands of interviews, from polygraph examinations for the CIA to screening interviews of candidates applying for employment with the federal government. I asked her whether a single lethal characteristic identified during the hiring process is a deal killer, regardless of a candidate's qualifications. She said it depends on the company doing the hiring:
For some, it's one and done-it doesn't matter what skills and qualifications they have. In my particular situation [screening candidates for the federal government], I would have to see what that lethal characteristic was. But for the majority of people I do interviews for, if there's that one lethal characteristic, they're out.
Carnicero also stressed the importance of including representatives from the company's security operation in the development of a screening and hiring plan:
Because we come from the government, we think security should play a much bigger part. In the private sector, they're looking at skills and experience; we're trying to talk to them about looking more at suitability. Security [professionals] should play a role in your hiring and screening process, because they are the ones who really recognize the significant issues associated with some behaviors. They also really understand the underlying concerns about some of these suitability issues. A security person is going to have a much greater focus on the risks than an HR person will. HR looks at candidates from the standpoint of whether they're going to be able to do the job. A security person will ask, "What's the blowback going to be on the corporation if this person gets caught coming into the building with drugs?" They just look at things a lot differently.
I also asked Carnicero to address an issue I raised in my recent post, "Are Anti-H-1B Fanatics Prone to Workplace Violence?" In that post I referred to people who make direct and indirect online threats against those whose views they disagree with, something I have encountered fairly regularly over the years in my coverage of the H-1B visa issue. I cited a particular reader comment I'd recently received, which included predictions of an overthrow of the federal government and "violent death" to "traitors" as an example.
I asked Carnicero whether the discovery that a candidate had written such a comment would be a deal killer in the screening process. She said it would depend largely on whether the screening was for a position in the government or in the private sector:
Something like that in the government would more than likely be a disqualifier, simply because you've ranted about the government; you've put a threat out there; you're not rational in what you're saying. In the private sector, it would be hard to disqualify somebody just for that statement. You'd do a great deal more investigation, as you would in the government. Chances are this is not his only missive. Chances are he's done this sort of stuff before. If this was a pattern, it absolutely would disqualify him, private sector or public.
I asked Carnicero if she would be concerned that such a person would pose a threat of violence in the workplace. She said the person would certainly raise a red flag in that regard:
There's definitely a violent tendency here. You don't want violence in the workplace. Somebody who actually takes the time to sit down and write this and send it has time to rethink before he shoots it off. This is reaction. And reactions are generally pretty consistent across the board. You would do more investigation, but I would be concerned that this person has a violent tendency, yes. It goes back to why you need to have strong hiring and screening processes, so that you can see the kinds of stuff that these folks write.
Carnicero also said that people who are inclined to post hateful comments that disparage a particular group, even if they aren't threatening, also raise a red flag:
I would absolutely be concerned, from an employer's standpoint, because it shows a lack of tolerance. Racism is an issue. EEO [equal employment opportunity] complaints are issues-anything that has to do with dislike of any other population or culture is a problem in the workplace. In the government, [a person who posts such a comment] would be out of consideration. You would do more research, but that is probably not his only negative comment about another cultural group.