Investigating Your Search Firm and Consultants

At some point during your career you will find yourself interacting with a search firm and/or a recruiter who has been assigned a project to fill a professional level security risk related role. This firm may or may not have a specialty security risk related practice and may or may not be a firm that you have ever heard of.

Recently, several issues have come to our attention that we felt had much more far reaching implications given the security and governance roles which most of you must deal with daily in your organizations. That is to say, do you really understand the reputation, ethics and practices of the people and firms with whom you are about to share your personal information and background? Do you have any idea how they manage, store and protect your information and what their policies are regarding the use and sharing of your information? Without wishing to fill this article with clichés, there are real risks associated with insider threats, identity theft and transfer of personal information, for a variety of nefarious purposes.

Recent Examples

• A well-known university forwarded our firm a questionnaire/survey regarding our thoughts on the hiring of convicted criminals as a part of a rehabilitation program. A laudable cause, but given the nature of our business, clients and candidates, it would be unlikely we would ever engage in this program.

• A well-known automotive company hired a search
consultant who had a very impressive resume and was a former senior executive for the well-known global search firm Korn Ferry, to conduct a search for their global head of security. At the time, this individual was under investigation by the FBI in San Francisco in a well-published case involving the theft of intellectual property from his former employer. In April, this individual was convicted in the four counts of the indictment by a jury in federal court.

• Last year a medium-sized search firm that specializes in corporate governance and IT security hired a consultant who had recently been terminated for fraud. In a subsequent legal filing to enjoin them from using misappropriated confidential information, they stated that they did not feel it was necessary to conduct any verifications or due diligence, as their new employee had offered his explanation of the circumstances.

• There have also been several recent cases involving recruitment consultants misappropriating information and work product from their employers. This includes contact information residing on company servers, as well as client, prospect, candidate and marketing lists, LinkedIn connection details and other company documents. In some circumstances this also included resumes/CVs and personal information.

During the course of your careers, many of you have provided advice to your organizations regarding best practices, employee backgrounds, controls, due diligence, know your customers and suppliers, ethics, foreign corrupt practices act and compliance-related programs, just to name a few. Over the last year we have had numerous informal discussions with clients and candidates on this topic and asked if they would want to engage with a person or firm where there was evidence of serious ethics or criminal behavior issues. We were a little surprised when the reactions seemed to fall into two distinct viewpoints. The first was the belief that as security professionals we should live what we believe and advise and not engage with people or firms who are ethically challenged; while the other view was driven by the fact that it is such a competitive market with a relatively small number of good opportunities that they were willing to engage with the person firm in hopes of being considered or introduced for a role.

In reflecting on this, we can see where there would be a dilemma, especially if your job was being eliminated, your company was being acquired or restructured, or you are unemployed. In essence, you may conclude that you have a solid business case to take the risk and just try and manage the exposure. This is not an uncommon business concept. We suggest that this is a microcosm into a much bigger and growing issue involving the growing global trend of a total disregard for the intellectual work products of employers and others with no purpose other than person gain, showing off to their friends or, as we have seen in the news, trying to cause harm or embarrassment to an employer or a government.

Job seekers have a right to expect that the information provided will be treated with confidentiality and will be maintained, protected appropriately and only shared for its intended purpose. If you are employing a search firm, you should expect that with or without a non-disclosure agreement, that firm and all of the staff involved in your project should have the ethical character to protect the information that is shared.

Jerry Brennan is co-founder and Chief Executive of the Security Management Resources Group of Companies (www.smrgroup.com), the leading global executive search practice focused exclusively on corporate and information security positions.

Lynn Mattice is Managing Director of Mattice & Associates, a top-tier management consulting firm focused primarily at assisting enterprises with ERM, cyber, intelligence, security and information asset protection programs. He can be reached at: matticeandassociates@gmail.com

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.