Tips on Detecting Deception in Your IT Organization

    If you had to identify one characteristic that’s more important than any other for an employee in your IT organization to possess, what would it be? Creativity? Resourcefulness? Brilliance? You can rattle off admirable traits from now till the cows come home, but you’ll never come up with one that’s more essential than this one: trustworthiness.

    No matter how you slice it, trustworthiness — or you can just as easily think of it as truthfulness or honesty — is the foundation of every other quality or virtue you could wish for in a coworker. That reality has really crystallized for me over the course of the past month, as I’ve had the chance to speak with media outlets and others about the book I co-wrote with some colleagues from the intelligence community, “Spy the Lie: Former CIA Officers Teach You How to Detect Deception.” It’s been kind of surreal, because the book became a New York Times bestseller within a few days of its release on July 17, and when it hit the No. 10 spot on Amazon (ahead of “The Hunger Games,” if you can wrap your head around that), we knew we’d struck a pretty huge chord.

    And nowhere does that chord resonate more loudly than in an IT shop, where the keys to the organization’s vital information assets are held. I’m well aware that the seriousness of the internal threat is lost on very few people reading this blog, so there’s not a great deal of value I can add by pontificating on that. What might be of some use, however, is to consider what steps you can take if the security of your systems is breached internally. At or near the top of that list has to be identifying the perpetrator, so a repeat performance can be avoided.

    Typically when an internal security breach occurs in a small- or medium-size business, there are relatively few people with the system access that would make them suspects. If your position is one that requires you to speak with these individuals in the damage mitigation process, your task is not an enviable one. So a few tips might be in order.

    Obviously, there’s no way for me to provide any sort of comprehensive overview here of what we present in “Spy the Lie.” But what I can do is convey two essential ideas that you should bear in mind if this situation ever arises.

    First, it’s absolutely essential that your encounters with the employees you question be non-confrontational. Your goal in speaking with each individual is to obtain truthful information, and your chances of obtaining it drop dramatically if the encounter is adversarial. A calm, understanding demeanor creates an environment in which the individual can respond to your questions and give you what you need without the ordeal of a conflict, and the individual is able to leave the encounter with his dignity intact.

    Second, it’s equally essential that you ask the right questions, the right way. We devote a great deal of attention to this topic in the book, but I can convey the thrust of the idea by presenting a simple scenario.

    Let’s say a new laptop went missing from a storeroom the day before. Sam is one of five people who had access to the storeroom, which they rarely have occasion to enter. Suppose you begin your encounter with Sam by asking, “Do you know anything about the missing laptop?”

    Now, if Sam stole it, and he has made the decision that he’s going to lie about it, he was prepared for that question, and he has a ready response for it: “No.”

    You’ve gotten nowhere. Suppose, instead, you ask, “Sam, what happened yesterday?” If Sam is innocent, he’s likely to respond immediately with something like, “All I know is one of the new laptops was stolen.” If he’s guilty, he has to process the question. He has to try to figure out what you might know, and determine how that will impact his game plan. And that will take some time.

    This type of question is a presumptive question — one that presumes something related to the matter under discussion. In this case, the presumption is that Sam has some information about the stolen laptop that he hasn’t shared.

    Suppose you follow up by asking, “Sam, is there any reason anyone would tell me you were in the storeroom around the time the laptop went missing?” Innocent Sam isn’t bothered by the question. But guilty Sam is probably uttering a silent expletive. His mind starts racing as he tries to remember whether there was any chance he might have been seen. Finally, he attempts to cover himself: “Now that you mention it, sometimes I do go into the storeroom just to look around, and I probably wandered in yesterday.” Of course, that doesn’t tell you that Sam stole the laptop, but you’ve placed him at the scene of the crime. You know you have more work to do with Sam.

    The second question was a bait question — one that establishes a hypothetical situation and is designed to trigger a mind virus in a deceptive person. Presumptive and bait questions are extremely powerful, but care has to be taken that they not be overused in a single encounter, and that they’re delivered in a very neutral, matter-of-fact manner.

    If you have any questions or comments about any of this, I’d value hearing from you.

    Latest Articles