April 23, 2008
I was having lunch last week with the senior executive for one of the
large agencies in the government organization where I work, when I asked
about the agency's information security officer. I'd heard that the ISO
had left his job rather quietly and quickly a few weeks earlier, but I
hadn't been able to get a clear answer or reasonable explanation as to
why. This isn't as strange as it may sound. Our government organization
is very decentralized, and the agency ISOs don't work directly for me. I
don't have any real authority over them other than to ensure they
institute the enterprise security policies within their agencies (but
that's a whole different story).
The senior executive told me that he'd been meaning to bring me up to
speed on the situation but that it was very complicated, and after the
ISO left, he didn't feel a sense of urgency to close the loop. Because
the senior executive was relatively new in the position, he'd spent some
time trying to get to the bottom of the whole situation himself. My
antennas were now wagging in anticipation.
Here's the rest of the story. This employee had been quickly hired about
a year ago to fill a critical vacancy. The agency was preparing for a
couple of fairly extensive federal audits and also needed a security
manager to mitigate some critical vulnerabilities from a recent
vulnerability assessment and other new enterprise security requirements
that I had recently initiated. This particular ISO quickly became one of
the more proactive and effective security officers in the more than 20
agencies in our government organization. In fact, he was one of the
leaders whom I held up as an example to others because he took the
initiative to stay in front of his agency's security problems.
Then one day about eight weeks ago, the HR director from this particular
agency had received a call from a county probation officer, who said
that one of his probationers was employed and had been lying to him. He
was angry and told the HR director that he suspected this person had
been lying to the agency as well.
Guess who the employee was.
Oops, We "Forgot"
This revelation was a bit of a shock to both the HR directorand the
senior executive, because they weren't even aware that the employee had
legal problems.let alone that he was on probation. He was, after all,
just the information security officer! After some investigation and
discussion with the probation officer, they discovered that after being
convicted of felony embezzlement, this employee had been released from
prison mere weeks before being hired as a public servant in this public
agency. OK, fellow CSOs and CISOs, can you see where this is headed? Are
you beginning to perspire?
Subscribe to the InfoSec News RSS Feed