One man’s adventure into the interviewing process for a CSO position.
The call came in early one morning and made it through my usually protective security screen in part because of her particularly pleasant first-name request to speak with me. Without much of an intro, the caller got right to the point. “Would you be interested in the CSO job of the millennium?” she enquired.
After establishing that this wasn’t some nutcase, but instead a headhunter familiar to those in our trade, I decided to play. “Tell me more,” I answered.
So she laid it out as if she were offering me a winning lotto ticket. “With your credentials, you’d be a leading contender right out of the gate,” she cooed. “It’s for a company with a new CEO and CFO and a reinvigorated board concerned about integrity, data security, contingency planning. They recently had a very mean workplace violence incident,” she said.
I started thinking about the security-related news over the recent past to try and home in on the company. No feedback from the fog.
“So these people are serious about a really senior guy, but do they know what a CSO title is all about?” I wondered aloud.
“I’ve teed up the CSO bit with them, and it absolutely flies,” she told me. “They’re eager to make a statement about security in its broadest context. Are you interested?”
“If you’ve vetted this job and think they’re serious, then sure,” I told her. “But keep it totally confidential. I’m very satisfied here.”
“I’ll get back to you,” is how she left it.
I didn’t hear a thing for a few months. Then another call came early one morning. “Sorry I was silent but, to your point, I wanted to confirm they’re serious about this job,” she said. “I’ve put yours and a few other CVs before their selection committee.”
Oh great, a selection committee, I muttered to myself. But I was more controlled in my response. “And the answer is . . . ?”
“You’re in the catbird seat!” she said as though announcing an Academy Award nomination for best supporting actor. Hmmm. Let’s hope not. “They want to see you ASAP.”
I knew I’d have to put this to the wife who agreed to move here on my pledge to sink an anchor into the ground.
Getting the Whys and Wherefores
My wife was predictably unenthusiastic. “You’re going where to do what?” she said without a hint of a smile. But the kids thought the new company was in an “awesome” area, and my own pathetic look must have led her to relent. “Go get this out of your system. But no promises!”
So I started doing some homework over the next several days, which revealed some interesting facts. First, the workplace violence incident had caused some focus on security. But from the business press, it looked as if a couple of the newer audit committee members had read the Sarbanes-Oxley tea leaves and wanted to play hardball. Other sources told me that the CEO and the executive vice president of administrative services wanted a higher-profile security exec to pull a more integrated program together. Or is it to take the heat? Note to self: Better make sure it’s the former.
When I arrive at the appointed hour and place, I’m immediately impressed with the initial approach. No star chamber, no apparent chairman. Just a comfortable room with everyone at one table. It’s clear that everyone has been well briefed on my background and experience. A good sign, I hope.
I learn that the committee is composed of the head auditor, the chief legal counsel, the senior vice president of HR, the CIO and the executive vice president of administrative services. These are my primary stakeholders, so I Do Not Pass Go if I blow it here.
CIO: “You don’t have a technical background, but you have information security in your current job. How do you do so without that experience?”
Me: “My employers expect me to be on top of the full range of risks in my playing field. They have given me the scope of risk oversight because we have discussed the linkages between the threats that confront global business today. That scope has come with an understanding that we need to have an information risk management capability with a team equal in strength to the risk we face in this area of business, which is significant. Our CISO has a clientele that wouldn’t give him the time of day without total confidence in his competence. We are partners with the business and our CIO. I’m the orchestra leader. He’s the principal soloist.”
CIO: “Would you propose that we have information security under you here?”
Me: “Not at this point, or maybe not at all. It’s far too early to say what model I’d propose here. A lot depends on what works in your culture, how service units can most effectively serve and lead here.”
Auditor: “Assuming you know about Sarbanes-Oxley, what role do you think security should play in our controls — if any?”
Me: “Frankly, most organizations haven’t taken enough time to think through a control model to create the most appropriate mix of players given the risk environment. I’m bullish on security being an equal partner in the governance team. Security is a lead player in addressing reputational risk with background vetting, third-party due diligence, internal investigations and vulnerability analysis. While not as headlined as audit, I think these are core processes in the evolving Sarbanes environment, which is about doing the right thing by our shareholders.”
CFO: “We’re in the process of identifying every dollar that contributes to or detracts from our being more efficient and productive than our competitors. Security represents a relatively large cost centre here, and still there’s a sense that we should be doing more. How would you propose to be a leader in cost management and containment?”
Me: “I would get a fresh assessment of the risks facing this company on a global basis and demonstrate to you that we have unmet priorities to address them. It’s incumbent upon the CSO to show that the company has a higher likelihood set of threats for which it is unprepared and find the most cost-effective solutions he can, reduce costs if possible and then convince you that the new expense is worth it.”
CFO: “What if we shoot it down anyway?”
Me: “Hey, security is just one horse at the trough. My responsibility would be to make you aware of the risks and to propose solutions. You could always decide to accept the risk.”
HR: “We’ve had some issues with our security folks giving off a Big Brother sense to our employees. It doesn’t sit well in our culture and seriously impacts your department’s credibility. What would you do to restore confidence in security here?”
Me: “Well, given that dark assessment, I would make that a very serious first priority because everything else I’d likely want to do here will depend on bottom-up confidence in our functions. So I would meet with employees at all levels to find out how they’re feeling about our services, what we do well and not so well. I believe in being a very close business partner with human resources and legal, so I would really suss out their perceptions of our strengths and weaknesses. And I’d be looking at our team’s competencies for things such as relationship management and influence. The bottom line is: If you’re right, then this is a serious challenge. And I can’t be a success if we can’t turn this around.”
Chief Legal Counsel: “I was interested in your response about reputational risk. As I recall, you mentioned background investigations. But we don’t do them here, and I’d be curious why you think we should.”
Me: “Let’s start with the recent workplace violence case. Your local newspaper uncovered the information that the guy you fired for assaulting his supervisor had a long record of assaults, domestic violence, firings and substance abuse. That was easily and legally obtainable pre-employment information, and you didn’t even ask your job applicants for information that could be verified for such purposes. At my last two employers, one in five of all applicants had some material discrepancies in their personal history statements. In other words, they lied. Should you hire liars coming through the door? How would that look on the upper-right-hand corner of The Wall Street Journal? I’m an unabashed fan of background investigations — at the very least, for everyone in a ‘risky’ job. We can discuss that definition if you like.”
HR: “I’ve got to wonder if we aren’t better off not knowing what we don’t really need to know.”
Me: “The thing you’ve got to consider, with all the ethics issues before the public and regulators these days, is if the bar is being raised by your board and shareholders. Should you know about the integrity of your key people? Would there have been a different result if you had had a criminal history on this violent employee?”
The human resources guy’s body language speaks volumes. I sense I’ve peeled off a scab and started the bleeding anew. “This smacks of the goon squad approach I spoke of earlier,” he says. “Rather than addressing the culture and crisis in confidence, you’d propose we crank the hostility up a notch or two?”
EVP (while checking his watch and waving off the HR guy): “Uh, how would you propose to add value to this organisation?”
Me: “This recruitment process tells me that you’re thinking seriously about security’s place in the health of this company. You are raising the bar. I will add value when I measurably help this team address where that bar needs to be to proactively manage the risks we know and those we have yet to identify.”
It’s clear we’re done at this point. And as I’m saying my good-byes, I notice that the HR leader has already ducked out. I play it all back on the way home and decide I’ve either blown it big time or, if not, I will have to get ready for some fireworks if I take the position.
Playing for Time
Having been grilled by this particularly spirited “selection committee”, it was time to do some serious soul-searching. Between you and me, I wasn’t even sure I wanted this job.
But as months passed without a word from the committee, I realized that the choice wasn’t totally mine to make. I hadn’t seen eye-to-eye with the VP in HR — I was critical of his reluctance to do background checks and hinted that the company’s encounter with workplace violence may have been related to that — and I was now convinced he had persuaded others that I was a loose cannon.
So you can imagine my surprise when, out of the blue, I got the call from the EVP of the company. “If you still want it, the job is yours,” he said.
You know the feeling: When you don’t have something, you want it badly, but then when you get it, you’re suddenly not so sure. I decided I needed to slow down and take an inventory of what I was really getting myself into. “Uh, can I come back out there to talk with you and make sure we’re on the same page?” I said, stalling for time.
“Good idea,” he returned.
And it was a good idea. I had anticipated fireworks with several members of the selection committee, and as it turns out, the fireworks had already begun. The CSO position — or more specifically, putting me in the CSO position — had apparently been the focus of some intense conversations among committee members. The EVP wanted me to feel confident, however, that I was his clear choice. He assured me that the CEO had backed the decision. With that kind of clout behind me, he said, I’d have no trouble bringing about the changes that were long overdue.
“What’s my biggest challenge?” I asked as we sat face-to-face at corporate headquarters.
“There are a helluva lot of self-serving prima donnas around here,” the EVP told me candidly. “The senior manager in HR is very powerful . . .”
Righto, I thought. The HR guy had it out for me right from the start.
“. . . and he uses his influence on a number of others, including the legal counsel and chief auditor,” he continued. “But the CEO and I agree. We think you’re the right person for this job, and we’re prepared to offer you a very handsome package in order to convince you to join us.”
I was more than blown away by the offer, and the “package” made even my bride a believer. I accepted, and my new boss was delighted. “Welcome aboard!” he said, heartily. “And get ready to help us address some really important issues.”
But I kept wondering if those important “issues” and the handsome “package” ought to be telling me something.
First week on the job and my relationship with the HR group is predictably hostile, reflecting the view of its leader. I’ve made no headway there. And the IT folks see security in a very isolated way; they have no time for us.
From a business perspective, there’s no ownership for risk management anywhere that I can see. No policies. No structured expectations. Security is always somebody else’s problem.
And then there are the Princes, the Esteemed Ones. The chosen few who soak up the bonuses while running roughshod over the little people. IT has its whiz kids. The sales group has its rainmakers. Elitism is a cultural phenomenon that management believes motivates, raises the bar and encourages excellence.
Top management is all about “making the numbers”. And being a global player, we’re faced with God-knows-how-many interpretations of the word ethics.
So I start to lay it out for my boss, the EVP, who stops me before I have a chance to begin. “Rather than tell it twice, let’s go tell the CEO together,” he says confidently.
Standing before them both, I sum up my findings. “First, our people have no clear understanding of your expectations about what it means to do the right thing. We have no policy infrastructure to guide training and behaviour, so too many employees model the bad behaviour of their bosses. And there’s no accountability, so vulnerabilities go unattended. Finally, I suspect there’s little buy-in for change because the rank-and-file see all the rewards going to a precious few. In my view, there could be a lot going wrong around here, but it’s too dangerous to speak up.”
They eye one another reluctantly. “Um, thanks, I guess,” says the EVP.
“Well, you wanted him to tell it like he saw it,” the CEO says back to him. Then he turns to me and asks, “So what now?”
During the next few weeks, I work with the security team to help develop a program that engages the board and the CEO in sending a variety of messages to employees and managers regarding their accountability for managing risk and creating respectful workplaces. We then do a top-down review and rewrite our business conduct policies. Then we draft a training program for all managers and hold small group meetings to discuss expectations and encourage confidence. Finally, the old employee hotline is recrafted to support confidential reporting of employee wrongdoing or abuse.
HR is key to this whole program, but many of the HR managers have difficulty being overtly supportive. Many of these problems are on HR’s plate, but the HR honcho is a favourite child and will probably be here long after I’m gone. I’ve found myself in some sort of a Shakespearean tragedy — the star system will provide my undoing.
Early one morning, an analyst who reviews hotline messages comes calling. It seems an anonymous tipster has alleged that the top salesman has been padding his T&E expenses. She knew his schedule and saw one of his expense forms. “If you’re really serious about doing the right thing,” she teases, “then you might want to take a look.”
We quietly gather a year’s worth of his forms for an in-depth audit. Which isn’t that easy — don’t forget, we had to request these documents through the disobliging chief auditor. I am pleasantly surprised when he (even if begrudgingly) concedes them.
Within a day, it’s clear that virtually every report has fraudulent claims in the thousands of dollars. We find fabricated receipts for family trips that are plainly not related to business. He’s put in for losses at casinos and fees for escort services. He even got subordinates to agree to cover his expenses on their own T&E forms, all with his approval. We stopped for a moment at the $335,000 mark just to catch our collective breath.
And then things get interesting.
Turns out this guy was a star hire of Mr HR, who also happened to be one of the more frequent beneficiaries of this guy’s entertainment largesse. And the EVP of sales, who approved the expense reports, is the personal protégé of the CEO and, in fact, is the CEO’s selection for his own successor.
It is also noted with some melancholy that this Jesse James of sales has several of our anchor contracts on his watch. Moreover, it seems he never executed a nondisclosure or noncompete agreement on arrival.
We agree that he will be interviewed and confronted with our findings.
As You Like It
We meet at my office with another investigator at my side. Our sales hero comes alone, wielding an arrogant swagger. As we go through the items, he defends some allegations, blames his assistant for others and, when indiscretions are obvious, outright lies. Finally, he looks at his watch, gets up and advises: “I’ve better things to do than go through this absurd harassment.”
As he leaves, I hear myself saying to his hindside, “I guess it’s OK with you if we check everything from the last two years?”
I advise my boss where we are, and we call a meeting to lay out the findings to date and the perpetrator’s obvious lack of candour throughout the interview.
CEO: “Have we made the T&E rules clear?”
Me: “The basics are clear. There is an affirmation of truth in the signing and a supervisory sign-off, but we haven’t done a great job of defining the specifics of what is and isn’t allowed. In this case, though, many of the items are well outside the most liberal definition of permissible.”
EVP of Sales: “Well, he can explain a lot of this stuff. I trust him, and I will point out that he is personally responsible for 30 percent of our annual sales for the past three years . . .”
CEO: “Now there’s a commitment to managerial oversight! And what of our ability to protect our proprietary information?”
VP of HR: “He’s never signed a nondisclosure. He came to us with glowing reports.”
CEO: “Did we do a background review?”
VP of HR: “Like I said, he came with glowing reports. I called a few of my colleagues and checked on prior comp. I’m uncomfortable delving further into personal histories.”
CEO: “So where do we go from here?”
Me: “I’d guess this guy is done talking to us without a lawyer. As far as I’m concerned, he’s a thief and liar who owes us several hundred thousand dollars. We owe him a ton of back comp on shares and current bonus that would more than cover what he’s stolen. My recommendation would be to fire him and not pay him a dime of what’s in the bank.”
EVP of Sales: “That’s easy for you to say. He walks off with a major portfolio of our revenue, and we sit here waiting for the other shoe to fall.”
CEO: “Really? Don’t be too sure about who’s going to be sitting here when all this comes to a head.”
Hmmm. Maybe I’m not going to be the tragic figure in this drama after all.
This column is written anonymously by a real CSO at a major US corporation