Find them and fire them: 5 steps

Spotting and handling rogue employees before they make the news

After my first day with a client on the regional fringe of Iraq, I was happy to find a room with decent air conditioning and an Internet connection. Then I started looking around.

My first clue something was amiss with my hotel should have been the double concrete barricade at the street, the metal detectors at every door and the airport-style X-ray machine. But what clinched it was the swagger of tank-top-and-fatigue-wearing American men smoking in the lobby, each with a semiautomatic pistol jammed down his waistband or the overt machismo of a dangling combat knife.

The concierge explained I'd wandered into an R&R hotel for Blackwater USA, which recently had been in the news for its mercenaries' involvement in a string of violent deaths and allegations of weapons smuggling. (Blackwater refers to itself as a "private military company," but now that Iraq is nominally self-governing, supplying personnel and engaging in combat there is mercenary business according to Article 47.c of the Geneva Conventions.)

Watching how influential or powerful people act in their off-hours can be telling, especially in high-stress situations. After witnessing Blackwater personnel engaging in unprofessional behavior such as doing burnouts in a jacked-up Escalade, brandishing weapons, and spewing loose talk about company business (not to mention public consumption of alcohol in an Islamic locale), none of this news is even slightly surprising.

Five steps to find them

It's tough to find effective and ethical people to fill positions of influence or power. Whether the role is that of security guard for a convoy out of the Green Zone or security administrator for critical systems, missteps can directly lead to the death of innocent people, and intentional abuse is the stuff of nightmares.

Worse, it's the people who really want power and influence who are most likely to mishandle it. I don't have a line on ways to see into other people's minds and evaluate their current and future ethical capacity and personal risk factors, but here are a few steps you can take to spot an internal danger before too much damage is done.

(Note: Laws and social norms regarding termination vary widely, so the involvement of an attorney is key to making sure any termination process is handled reasonably and lawfully. These opinions are not legal advice and may contain information that is improper for your locale.)

1. Set clear goals. Drop authority into idle hands and corruption from power happens fast. Termination is an easy decision when someone simply doesn't have the professional or ethical rectitude to handle a job. The solution is to make sure employees have clear goals for their initial work, let them prove they can handle it, and then slowly add responsibility and authority. With good references and recommendations that speak to a person's ethical behavior and professionalism -- not just technical ability and certifications -- it also becomes reasonably safe to hire directly into positions of significant responsibility.

Clear goals should include to plans for roles and advancement, not just job tasks. If the opportunity presents itself, a technical staffer in an otherwise thankless help desk role can be given a career path to systems and network support or development, thereby reducing the risk of idle hands with authority over others' organizational identity and data. (This has the nice side effect of reducing overall turnover even as the help desk loses people to advancement.)

2. Set clear prohibitions. Tell your security administrators and other influential tech people where the boundaries lie in terms of behavior, and explain the consequential impact -- including the potential damage -- that security controls have on business processes. The people at the International Policy Governance Association like to think they invented the negative directive, but there's a good idea at the core of the advice they give to corporate boards.

The IPGA's FAQ says that board directors ought to make "decisions and actions only in a proscriptive way." Proscribing, limiting or constraining certain actions and behaviors, "makes possible all other actions and behaviors [and] gives staff maximum freedom in creating actions to achieve the ends, while avoiding what is not acceptable even if it works. "

For example, implementing strict network authentication rules that block access by field doctors to telemedicine video feeds after two mistyped password entries may not be the best balance of security vs. functionality. Likewise, aggregation of large amounts of financial data may be required for regulatory compliance, even if privacy advocates fret over the risk. Just as military contractors ought not shoot randomly at crowds when someone cracks their bubblegum, enterprise network administrators should know it's (usually) not OK to implement active network defenses that launch attacks on other organizations when an intrusion attempt is detected.

3. Check the work results. Measure the outcome of work processes. Don't take a security staffer's word about whether goals have been met, methods are actually being followed, or improvements made. "You and your assets are safe" can mean someone ticked items off a control list rather than considering new and emerging threats. "Don't worry about it" means you should.

Work metrics from information security staff ought to be relative to experience, and ongoing activities ought to be guided by predictions of future risk. Ask for results to be described in comparison to a similar time period (e.g. "security events this month compared to the same month last year") or a similar organization or site if no firm metric is available (e.g., the number of breaches or intrusions for a competitor's operations).

It's also worthwhile to check out what else they are doing if some activities are not on the agenda. Are side projects a sign of initiative or ulterior motives? Just as the alleged smuggling of weapons may turn out to be Blackwater contractors quietly backfilling equipment the that is in short supply for U.S. soldiers, the routing equipment missing from one corporate project may be serving to shore up security for another. Or someone may be lining their pockets when no one is looking.

4. Go and watch how they work. It's common to see a degree of aloof behavior from technical or tactical staff -- a combination of pride in skills and a geek's stereotypical lack of social grace. Outright arrogance or lack of respect for one's customers, on the other hand, is a serious warning sign.

Traffic police officer Ali Khalaf described a startling pattern of behavior just moments before Blackwater contractors opened fire and killed 10 civilians last week: "As they often do, guards from the U.S. firm -- the largest private security operators in Iraq -- hurled water bottles at cars to stop traffic as they drove through." Regularly throwing your drink at someone implies a certain lack of respect.

If they don't have respect for end users themselves, security staffers likely have no respect for the work those users do or for their assets, whether information or infrastructure. Security tasks of import are then indistinguishable from a game in which the player has no risk, and the outcome is predictable. Do help desk staffers insult inexperienced users? Are trouble tickets delayed to teach people a lesson? Do developers delete security requirements from test criteria? As TJX painfully learned, today's small arrogant behaviors turn into tomorrow's security disaster and the next day's ongoing or irrecoverable loss.

5. Sit back and listen. Sometimes the worst offenders just can't keep their mouths shut. By listening and looking, one can hear the warning signs coming from co-workers, other managers and even competitors. With employees using their own names or bragging about exploits at a named company, it only takes a few Google searches to uncover enlightening information. Personal blogs, MySpace pages, YouTube and even venerable Usenet groups tell stories of past or impending misbehavior.

Not every inappropriate public venting of personal frustration indicates that a Jon Paul Oson-style meltdown is in the offing. Sometimes an apparent attempt at career suicide is just a singular cry for help, not a pattern of risk that warrants termination. However, assertions about "pulling the trigger" or "I could do x" are huge, blinking warning signs. Tales in the past tense ought to be verified and pursued vigorously.

Five steps to fire them

So you find warning signs from a security staffer that constitute unacceptable risk, evidence of negligence or much, much worse. He needs to be fired, and he needs it bad. Yet most managerial resources only cover the process of termination from the decision through the "cardboard box commute" out the front door.

Little is said about handling people with significant administrative access, or the uncomfortable and unfortunately common problem of contact after termination. Here are a couple of steps to consider before and after the usual human resources blather about hostile terminations.

1. Safety and asset protection. As Shaggy says when things get out of hand, "First thing you gotta @%$# do is do not move!" Preservation of life and safety has to be primary, but too much doing and not enough thinking will turn a bad situation into a disaster. If the person about to lose his job poses an immediate physical danger to others, involve law enforcement before doing anything else. If he poses a danger to himself, either law enforcement or involuntary psychiatric care help may give you a little time to assess how his condition affects you.

Taking a step back, it's important to consider secondary risk to life and limb. System operators for civil infrastructure may cause traffic jams, contamination or resource contention in a fit of anger that results in injury or worse to a far-removed third party. A vengeful database administrator for a pharmaceutical supply house may slip a bit that isn't evident until someone's grandfather gets the wrong prescription in the mail two weeks later.

Turn off their access or remove their rights to dangerous systems. Remove their rights to create or delegate to other identities. Look for alternate or shared accounts, and turn those off too. Don't accept waffling from other administrators about unchangeable passwords for shared accounts or other back doors; there's no better lever than imminent civil or criminal liability when it's time to demand change or pull the plug.

2. Check yourself. When the immediate risk level settles down, take another step back to make sure all of the administrative ducks are in a row. Did the person have clear duties and limitations? Did he know the policies and applicable laws? Are all issues involved in the separation -- from background checks and training to evaluations and evidence -- formally documented and available?

Take a moment to ponder how the termination will go. The core process is pretty rote, but what tangents or mistakes may arise? Are there projects that will need to be picked up? Were duties properly separated and rotated, or does the individual have unique access or knowledge? It's not helpful to handle the termination smoothly only to see something later fall flat in your ongoing security and operations.

3. The usual. There are innumerable sources of support for the process of terminating people in an ethical, legal and humane way. Beyond advice from human resources and legal experts, I often suggest that it's a good idea not to delete application, system or directory user IDs. If there is any practical way to remove all rights but keep the identity and activity record, the person's accounts should be deactivated or archived but not deleted.

This runs contrary to common technology-focused security wisdom, but the continuity of identity and activity logging is becoming increasingly important in industries including financial services, health care and defense. Organizations occasionally hire people back after a layoff, or a fired person may go to work for a business partner with access to the same resources. In these situations it's important to realize that it's one person -- at an account and log level -- and deletion of accounts may prevent that correlation.

4. Involve peers. Every human resources book says it's undignified and legally risky to talk about an impending termination. However, the practical reality is that when the person being terminated is a security administrator or technical security officer, one or more of his peers must know about the situation. At a minimum, someone has to take over the operational and security duties before the termination takes place.

1 2 Page 1
Page 1 of 2
Shop Tech Products at Amazon