Hard Questions About Background Checks

I thought we had a good relationship with human resources...until the time came to implement a background check program.

March 01, 2006 — Every CSO has experienced that rare security project that takes life quickly and moves with a force of its own. The project seems to leave port without you. You wake up at night thinking through what might have been missed, trying to take solace in the rapid progress.

That, at least, is preferable to the project that just can't get under way—like my efforts to develop a background check program. Doing this can be a real challenge at a company that has operated for decades without anything more than a rudimentary screening to verify the accuracy of an applicant's education and work history. For those who must wrestle with this type of challenge, there is dangerous shoal water all around you.

It started when, as an outgrowth of our nation's new understanding of risk after 9/11, my industry self-administered a set of standards regarding background investigations. The inherent problem with a collective industrywide approach, though, is that it typically results in watered-down standards language with little direction. The room for company interpretation undermines the objective of demonstrating to Congress that the private sector can police itself, and it leaves CSOs in a precarious position, with few tools to help us overcome institutional obstacles.

I am the optimist, though, and my team and I rushed to work with key stakeholders, including human resources, legal and corporate compliance. I remember feeling good about how the project was being formulated. We had worked effectively enough with human resources on projects in the past, and it seemed like we were all speaking the same language.

The feeling would soon change. The artifacts of each organization's beliefs began to manifest themselves in missed milestones, unclear language and documents that could never shake their "draft" marking. The project started to feel like the little ship that couldn't. Every time we set sail, the S.S. Human Resources tugboat took us back to port.

Meanwhile, the security group had been given the required leeway to institute contractual requirements to manage risk with our partners and suppliers. It got so bad that the window washers contracted to clean our corporate headquarters had more stringent background checks and requirements than our own employees, who were operating processes that make up a portion of the nation's critical infrastructure.

Compromise is a necessary tactic. The hard part is drawing lines that preserve the intent of a given program. Let's take a look at why drawing those lines was harder than I expected and, in the end, impossible.