Corporate security has the responsibility of protecting a firm's assets, both intellectual and physical. This often includes the responsibility of managing investigations into information leaked to competitors or the media. The scandal at Hewlett-Packard last week, in which top executives mismanaged such an investigation and ended up losing their jobs, offers some lessons that should be taken to heart and never forgotten.
Corporations are public entities. Any aspect of any investigation is, therefore, of interest to the media covering the company. This means that, regardless of the legality of an action, corporations should think about its disclosure -- intentional or otherwise. In its investigation, HP used "pretexting," which is pretending to be someone else in order to get access to critical information. HP's methods might be technically legal, but they became a PR disaster and eventually resulted in board-level changes. With better disclosure processes, the whole thing might have been avoided.
HP's "pretexting" was done by an agent, possibly without the direct knowledge of the security or legal staff until after the event. The action was clearly a management oversight, because even if it was legal, it was inconsistent with HP policy and wouldnt otherwise have been allowed. But, because management was hands off the process (and because the agency used was not part of HP), a disaster resulted. Companies arent the government, and the use of agencies -- particularly in this case -- doesnt provide the protection that it once did. As with most issues like this, the problem will flow uphill and eventually land on the desk of an executive who doesn't think it's so funny.
The HP scandal reached catastrophic levels when a board member didn't admit to the mistake he had made. This can happen at all levels of a company when the full details of a decision are not clear. If the board member had known that his actions would cost him his job, he not only would not have covered them up, but he would have thought twice about leaking the information in the first place.
How many security departments make it a point to communicate the repercussions of violating corporate security policy? Investigations like HP's seldom become public, so companies should use this example to demonstrate that even the most powerful employee can't make a mistake and then try to cover it up. When they realize this one leak resulted, directly or indirectly, in the replacement of one CEO and two board chairmen, some employees may give more thought to their future actions.
We often forget how important experience is in the security industry. HP gives us one great example of what can happen when the people who are running an investigation have no inkling of what they are doing. Companies are not the CIA, you simply cant go around abusing privacy rules to find out information that likely could have been obtained in safer ways. Experience plays a major role in protecting companies against "investigators" who have good skills but lack the experience to use them. HP did successfully find the source of its media leak, but it could have avoided a nasty scandal if investigators had been more careful and/or brought in the proper authorities to assist with the investigation.
This is a lesson that applies to the technology industry in general. We use a lot of code words, and we often dont know what those words mean. In the HP instance, there is evidence that the term "pretexting" was used to describe the leak investigation process, but there is little evidence to indicate that top executives had any idea what pretexting was.
Given HPs history, you would think that the phrase "We are going to fraudulently represent ourselves as a board member (or reporter) to get access to personal information" would be enough to give any HP executive an immediate and near-fatal heart attack. HP has never exhibited behavior like this in the past, so you have to believe there was a disconnect somewhere.
I believe the disconnect was that the executives didnt know what pretexting was and assumed someone else did, but that critical someone didnt exist. If you dont know what something means, youd better damn well ask. The HP case proves if you try to look smart, you may get shot by your ignorance.
This is potentially a huge problem in technology-focused firms, where jargon is used freely but the security staff may not understand the jargon. And the sword cuts both ways, because line managers may not understand words like "pretexting" that are specific to security.
In the end, it is better to look ignorant and ask the question than it is to look incredibly stupid -- not to mention unemployed -- after the fact.