At some point during your career you will find yourself interacting with a search firm and/or recruiter assigned a project to fill a professional level security risk related role. The firm may or may not have a specialty security risk related practice and may not even be a name you’ve heard of before. Perhaps it may be a small firm of one or two recruiters - independent contractors who have decided to set up a practice. Regardless of the company structure, you are about to divulge the most personal details of your career to someone. What do you really know about them?
Recently, several issues have come to my attention that I felt had much more far reaching implications given the security and governance roles which most of you must deal with daily in your organizations. That is to say, do you really understand the reputation, ethics and practices of the people and firms that you are about to share your personal information and background with. Do you have any idea how they manage, store and protect your information and what their policies are regarding the use and sharing of your information? Without wishing to fill this article with clichés, there are very real risks associated with insider threats, identity theft and transfer of personal information for a variety of nefarious purposes.
Let me provide some recent examples.
A well know university forwarded our firm a questionnaire / survey regarding our thoughts on the hiring of convicted criminals as a part of a rehabilitation program. A laudable cause, however, given the nature of our business, clients and candidates, it would be unlikely we would ever engage in this program.
Last year a major automotive company hired a search consultant who seemingly had a very impressive resume and was a former senior executive for a well-known global search firm. He was to conduct a search for the global head of security for the company. At the same time this individual was conducting the search, he was actively under investigation by the FBI in San Francisco in a well-published case involving the theft of intellectual property from his former employer. In April he was convicted in the four counts of the indictment by a jury in Federal court.
There have been several recent cases involving recruitment consultants who had misappropriated information and work product from their employers. Going beyond the classic “customer list going missing” model, data resident on company servers to include resumes/CV’s and personal data and contact detail have all been targeted. Frequently the defense has been that the LinkedIn model of public profiles has rendered privacy in the recruitment industry to be obsolete.
During the course of your careers, many of you have provided advice to your organizations regarding best practices; employee backgrounds; controls; due diligence; know your customer, vendor or supplier; ethics; foreign corrupt practices act and compliance related programs - just to name a few. However, when it comes to our own dealings, do we practice what we preach?
Over the last six weeks I have had numerous informal discussions with clients and candidates on this topic, and asked if they would want to engage with a person or firm where there was evidence of serious ethics or criminal behavior issues. The reaction seems to fall into two distinct viewpoints:
The first was the belief that as security professionals we should live what we believe and advise others, and not engage with people or firms who are ethically challenged. Many of you do your homework prior to sending your details.
The second view was driven by the reality of the job market in this industry. It’s very competitive and there are a relatively small number of good opportunities. In the hope of being considered or introduced for a role, many said they had blindly sent their information to either a person or a company they had not thoroughly vetted.
I can see where a dilemma could arise, especially if your job was being eliminated; your company was being acquired or restructured or you are unemployed. In essence you may conclude that you have a solid business case to take the risk and attempt to manage any exposure. This is not an uncommon business concept.
I would suggest however that this is a microcosm of a much bigger issue – a growing, global trend that misconstrues the concept of ownership. Entertainment companies experience this in the form of intellectual property violations. Recently in the news we’ve seen “leakers” misappropriating information in an attempt to embarrass or harm governments. And individuals see this with their personal details – once on the internet – out there forever, and for anyone.
However, as a candidate, you really do have control over what company – and which recruiter – you send your information to. Job seekers have a right to expect that the information they provide will be treated with confidentiality and handled appropriately.
As an employer, if you are hiring a search firm, you should expect that - with or without a non-disclosure agreement - the firm and all of the staff involved in your project have the ethical character to protect the information that you’re sharing.
Regardless of which category you fall into – jobseeker or Client Company – you ultimately have the power of making an informed choice while keeping the best interests of either yourself or your company at the forefront of your decision. However, the personal decision may be the harder of the two given most everyone would believe it is in their best interest to be employed.