Every CSO has experienced that rare security project that takes life quickly and moves with a force of its own. The project seems to leave port without you. You wake up at night thinking through what might have been missed, trying to take solace in the rapid progress.
That, at least, is preferable to the project that just can't get under way -- like my efforts to develop a background check program. Doing this can be a real challenge at a company that has operated for decades without anything more than a rudimentary screening to verify the accuracy of an applicant's education and work history. For those who must wrestle with this type of challenge, there is dangerous shoal water all around you.
It started when, as an outgrowth of our nation's new understanding of risk after 9/11, my industry self-administered a set of standards regarding background checks. The inherent problem with a collective industrywide approach, though, is that it typically results in watered-down standards language with little direction. The room for company interpretation undermines the objective of demonstrating to Congress that the private sector can police itself, and it leaves CSOs in a precarious position, with few tools to help us overcome institutional obstacles.
I am the optimist, though, and my team and I rushed to work with key stakeholders, including human resources, legal and corporate compliance. I remember feeling good about how the project was being formulated. We had worked effectively enough with human resources on projects in the past, and it seemed like we were all speaking the same language.
The feeling would soon change. The artifacts of each organization's beliefs began to manifest themselves in missed milestones, unclear language and documents that could never shake their "draft" marking. The project started to feel like the little ship that couldn't. Every time we set sail, the S.S. Human Resources tugboat took us back to port.
Meanwhile, the security group had been given the required leeway to institute contractual requirements to manage risk with our partners and suppliers. It got so bad that the window washers contracted to clean our corporate headquarters had more stringent background checks and requirements than our own employees, who were operating processes that make up a portion of the nation's critical infrastructure.
Compromise is a necessary tactic. The hard part is drawing lines that preserve the intent of a given program. Let's take a look at why drawing those lines was harder than I expected and, in the end, impossible.
Hard question #1: Do the circumstances of a crime matter?
The trouble started when the human resources department's selected project manager was the company's diversity manager. I respect individuals and their diverse backgrounds, but I didn't anticipate, for instance, a discussion that certain felonies might sometimes be acceptable.
Acceptable? For security professionals, it can be hard to see the patterns exhibited by felons and not link them to missing qualities like integrity. We see those who are found guilty of serious crimes as missing the necessary qualities to support trust. I had the idea that any felony might disqualify employment.
Others who are less exposed to rap sheets, however, seemed to view the crimes as possibly resulting from particular circumstances and, therefore, less likely to be repeated. Human resources wanted to pick small windows for applicable criminal findings, with the basic belief that people can change and should get another chance. I was made to feel like an insensitive and nonhuman security thug.
My group and I had some theories about why this was happening -- the most likely one being that others in the group either identified with individuals who had records or felt guilty about having themselves committed a crime of some sort. I wasn't trying to judge anyone, but I did want to assist the company in deciding whether or not to extend a privilege (employment) to someone. I would offer examples that would get everyone to say, "Yes, that makes sense." But within minutes, the HR reps' common beliefs would reassert, and they would argue that a single bad decision (for example, felonious assault) doesn't always mean an engineer can't be a good engineer.
Hard question #2: How do you conduct a background investigation?
There are several methods for obtaining background information. They include:
-- typical employee screening and application verification process
-- county records check, based on a legal name or identifier, for criminal offenses
-- state criminal records check based on an identifier
-- state fingerprint check
-- multistate fingerprint check
-- national, FBI-conducted background check (where possible)
The beginning of the list is filled with flawed processes that provide only a limited amount of information. If you were found guilty of a felony, for example, what are the chances you would still live in or seek employment in the same county? Unfortunately, the methods at the beginning of the list are also the easier ones to execute.
I, like most security professionals, prefer the slightly more costly but more comprehensive state-based fingerprint check, in states where it is available. (The most comprehensive method -- a national, FBI-conducted background check -- is available only for specific jobs in regulated industries.) But human resources basically thought that any check would be good enough for the voluntary standards.
Hard question #3: What are disqualifying offenses?
Most states have specific requirements detailing what felonies can result in a negative adjudication based on jobs or roles. For instance, a school-bus driver must not have been found guilty of any violent crimes or crimes that involved children. Our team, however, couldn't even agree on how much time had to pass before a felony would not disqualify a job candidate, so developing a list of disqualifying offenses was going to be really tough. To make matters worse, job descriptions had not been defined well enough to help identify disqualifying factors by role.
Hard question #4: How do you implement the program?
After we made some headway in defining potential disqualifying offenses (marked "draft," of course), reconciling the cost of the services and arguing enough to know where everyone stood on the time limit for past crimes, the big, ugly issue came up. I remember the meeting to this day.
The human resources project team wanted to cut the estimated cost of implementing the program. The dollar amount equaled the cost of background checks for the number of employees currently on staff who had access to critical assets. The manager sat back and said, "Well, of course, you don't propose running a check on our current employees, do you? We might have to move a large number of people out of their current roles."
Time to dig the holes and insert our heads into the ground.
The way I saw it, you had to check your existing staff, or the program had no value. The standards were meant for a cadre of people who had the means to be very disruptive and damaging -- those people who were in the jobs already, as well as those who might be hired in the future. The risk was now, not over the next 20 years.
Time for more research
By this point, I could see that the project was taking on water and appeared to be sinking. This time I proposed we go back to the table and draft more stringent disqualifying offenses. I argued that a simpler system would be easier to manage and execute against.
I looked around and found the response I anticipated: We need to benchmark the industry. The security team already had done that, but this time the benchmarking would be done by each executive involved.
Slowly but surely we all came back to the table with variable results relying on small sample sets. The industry had a wide field -- from companies that maintained three full-time employees to conduct background investigations and manage a strict adjudication process, to companies that conduct checks with no disqualifying guidelines, to companies that did absolutely nothing.
We were back where we started. Well, one thing was different. I had a different view of the private sector's ability to police itself. I know you should be careful what you wish for. But with a stricter standard, there would have been less room for interpretation -- and CSOs like me wouldn't have to struggle between what is more effective or in the spirit of the standards, versus what is simply easier for the corporation or more culturally and politically acceptable.