First of a two-part column
There are two areas where security should be playing a stronger role: how employees are selected (beyond simple background checks); and how hardware should be regulated on the corporate campus. In this column, I'll look at the employee selection process, using Google as an example; in a subsequent column, I'll discuss Apples iPhone as an example of hardware that should be restricted.
If you've been in security for any length of time, you know that no matter how much technology you throw at a problem, one brain-dead employee or executive can screw it all up in a moment. Such problems often are caused by employees who are not properly selected, trained, and motivated to help with security.
If security starts (and often ends) with the employee, perhaps the security organization should play a stronger role in employee selection and training. The security group should certainly play a stronger role in policy development and enforcement.
What takes me down this path is a recent interview with Googles CEO, in which he discussed the company's staffing problems and what it's doing to fix them. Like many companies that experience very rapid growth, Google is having serious problems getting enough qualified people to do the jobs they need done. And, like many companies, Google has been using academic accomplishments as a key metric for weeding out applicants.
Googles executive staff has rightly concluded that interviewing takes too long and that by sorting potential employees based on grades -- largely an artificial metric in business -- they are probably missing out on many great employees they might otherwise hire.
Unfortunately, Google's "solution" to this problem is to hire people that are qualified for jobs "three levels higher" than the jobs they are hired for. This approach clearly addresses the need to fill the pipeline for potential executives in a rapidly growing company; it could also result in a security nightmare.
As anyone in security knows, the most likely employee to steal from a company is one who feels underpaid and underappreciated. These employees often feel the company "owes" them if they dont move up fast enough, and they typically dont enjoy the job they are doing, because they are overqualified for it. Such people can demonstrate nasty behavior as their frustration on the job grows.
Hiring a few overqualified people isnt a problem, if the selection is done right. But making it a practice is incredibly risky and showcases a typical lack of understanding for that risk. It's just as dangerous a practice as placing too much importance on education or interviews, both of which are relatively easy to fake.
If history repeats itself, Google's approach could result in declining employee benefits, reduced productivity, and an increasing number of employee-caused security incidents. It will make Google a less attractive place to work, and that's not in the best interest of Google, its employees, its stockholders, or its customers.
The last big company that followed this path was Netscape. That should tell you something right there.
In part two of this column, I'll discuss the reasons why security should get involved in approving the purchase of personal hardware that is allowed inside the company. Until then, Ill leave you with a question to ponder: If executives say their employees are their most valuable asset, why shouldnt the security organization be more actively involved in ensuring that this asset doesnt become a liability?