HP's School of Hard Knocks

Lesson Two: Maintain tight management.

HP's "pretexting" was done by an agent, possibly without the direct knowledge of the security or legal staff until after the event. The action was clearly a management oversight, because even if it was legal, it was inconsistent with HP policy and wouldn’t otherwise have been allowed. But, because management was hands off the process (and because the agency used was not part of HP), a disaster resulted. Companies aren’t the government, and the use of agencies -- particularly in this case -- doesn’t provide the protection that it once did. As with most issues like this, the problem will flow uphill and eventually land on the desk of an executive who doesn't think it's so funny.

Lesson Three: Communicate.

The HP scandal reached catastrophic levels when a board member didn't admit to the mistake he had made. This can happen at all levels of a company when the full details of a decision are not clear. If the board member had known that his actions would cost him his job, he not only would not have covered them up, but he would have thought twice about leaking the information in the first place.

How many security departments make it a point to communicate the repercussions of violating corporate security policy? Investigations like HP's seldom become public, so companies should use this example to demonstrate that even the most powerful employee can't make a mistake and then try to cover it up. When they realize this one leak resulted, directly or indirectly, in the replacement of one CEO and two board chairmen, some employees may give more thought to their future actions.

Lesson Four: Experience counts.

We often forget how important experience is in the security industry. HP gives us one great example of what can happen when the people who are running an investigation have no inkling of what they are doing. Companies are not the CIA, you simply can’t go around abusing privacy rules to find out information that likely could have been obtained in safer ways. Experience plays a major role in protecting companies against "investigators" who have good skills but lack the experience to use them. HP did successfully find the source of its media leak, but it could have avoided a nasty scandal if investigators had been more careful and/or brought in the proper authorities to assist with the investigation.

Lesson Five: Fear of looking stupid can get you fired.

This is a lesson that applies to the technology industry in general. We use a lot of code words, and we often don’t know what those words mean. In the HP instance, there is evidence that the term "pretexting" was used to describe the leak investigation process, but there is little evidence to indicate that top executives had any idea what pretexting was.

Given HP’s history, you would think that the phrase "We are going to fraudulently represent ourselves as a board member (or reporter) to get access to personal information" would be enough to give any HP executive an immediate and near-fatal heart attack. HP has never exhibited behavior like this in the past, so you have to believe there was a disconnect somewhere.

I believe the disconnect was that the executives didn’t know what pretexting was and assumed someone else did, but that critical someone didn’t exist. If you don’t know what something means, you’d better damn well ask. The HP case proves if you try to look smart, you may get shot by your ignorance.

This is potentially a huge problem in technology-focused firms, where jargon is used freely but the security staff may not understand the jargon. And the sword cuts both ways, because line managers may not understand words like "pretexting" that are specific to security.

In the end, it is better to look ignorant and ask the question than it is to look incredibly stupid -- not to mention unemployed -- after the fact.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

Hewlett-Packard Co. (NYSE: HPQ)