Winn Schwartau thinks political correctness is preventing corporations from properly securing themselves against the threat of an insider attack.
Lawyers have gotten their hands on the issue of electronic data protection and made a mess of the situation, the co-founder of Vienna, Va.-based SCIPP International contends. “We have to get lawyers the hell out of information security.”
The self-proclaimed provocative speaker spoke his mind about the legal limits that prevent companies from having better security at the Toronto-based Infosecurity Canada conference Thursday. In his view, such laws prevent organizations from identifying “the enemy” when are hiring for security-sensitive positions.
“You can’t hire folks and ask them ‘are you gay, are you a hermaphrodite, are you going to blow us up, are you a terrorist, what’s your religion,’ whatever it is,” he says. “So we’re putting people into mission-critical situations and operations within an organization without knowing their proclivities or their tendencies and behaviour.”
But the long-time advocate for security awareness is off-base with his remarks, say workplace hiring experts. In Canada, asking someone about their sexual orientation, race, or gender during a job interview is illegal, and is in no way an indication of their deceptiveness.
“Someone not revealing their sexual orientation or their race in no way suggests they’re going to be deceptive,” says David Zweig, a professor at University of Toronto’s Joseph L. Rotman School of Management. “Collecting that type of information is illegal.”
His opinion is echoed by colleague and assistant professor Julie McCarthy.
“Data shows that it is not only politically incorrect to select candidates based on demographics, but it is not productive either,” she says. “It is also illegal.”
Schwartau backs up his opinion that law is interfering maintaining security by pointing to seemingly ridiculous law suits in the US: A woman who attempt to sue a fast food chain because her hot coffee burned her lap when it spilt, for example, or a robber who sued his would-be victims when he broke his leg after breaking into their home.
As a security consultant, he’s seen gender issues compromise a client’s security before. A department largely staffed by women was barred access from corporate information they didn’t need, and a complaint lodged with Human Resources was eventually escalated to a legal case, he says. In the world of electronic access, not everyone is made equal.
“Political correctness is a disaster from a security standpoint,” he explains. “Because we’re trying to work on the assumption that all people are equal and everyone should have the same rights electronically within an organization and none of that is true.”
Focusing on the specifics about the skills relevant to the job is still the best way to assess candidates, Zweig says. Stick to previous experience, education and skills to stay well within the realms of legality and increase chances of hiring a good fit.
When it comes to trying to guess if an employee will deceive your company at some point in the future, a proper psychological assessment is a good way to go about it. Companies can find psychological firms that specialize in hiring and hire a PhD-level psychologist to do legal and helpful testing of candidates.
“It’s greatly going to increase your ability to predict who will be the best person on the job, and it will reduce bias,” McCarthy says. Industrial psychologists are the professionals who should be conducting such interviews.
This is a practice that Schwartau also recommends. He says it’s worth the extra expense.
“I argue that when I’m putting people into mission-critical situations, I want to know a hell of a lot more about them,” he says.
For the security expert who coined the term “Electronic Pearl Harbor” in a fictional novel about a Cyber-terrorist attack on the US, it is the next best thing to an illegal practice.
“Profiling works. That’s what a lot of our technology does in the security world, but we don’t want to put it to use against people,” he says.
