Security: Is It Ever Better to NOT know?

When is it best that no one in an organization – not even those capable of and responsible for maintaining secrets – know a piece of security information?

When obtaining that information is too expensive compared to its value? When such information violates the privacy of an individual or group? When the organization simply has no business in learning such information?

Let’s consider these questions as applied to employee screening, corporate due diligence and facility security to make a very simple but not always practiced point: ignorance is almost never bliss, an ostrich that allows its head to remain in sand simply cannot see.

Employees – prospective and current – are protected by, among other laws and regulations, the Fair Credit Reporting Act (FCRA). Limitations apply less to what information an organization may find and more to the written knowledge and notice it is required to give such employees when using such screening for employment purposes. Is the new employee in purchasing or finance struggling with overwhelming personal debt or bankruptcy? Have a history of fraud? Does a prospective trader have a track record of regulatory violation? The new soccer coach a restraining order? While there is nothing even close to a master database to answer such screening questions (e.g. despite the information age many jurisdictions have NOT digitized their current or past criminal records), “need to know” questions about employee backgrounds have progressively become less expensive and more capable of being thoroughly answered (whether with or without a computer). Likewise for an employee on the job who may leave written, oral and/or digital tracks of activities planned or completed to harm the organization. The key is to balance what’s important to YOUR organization and properly budget what you find out – and how you do it – both before and after an employee is hired.

Applying the same concepts and questions to the purchase of or investment in a business reveals that checking boxes for accounting purposes and/or overly relying on a belief that seller’s ownership and management have been as diligent as your organization would be in screening for and addressing prohibited activity may prevent acquiror/investors from really knowing what’s going on. Controls, audits, compliance and the valuable time spent among management teams building relationships of trust are undeniably important both to advancing and protecting a merged or newly capitalized organization. Equally important is the informed, professionally organized and objective opportunity to dig into the integrity and security soft spots that may harm any or all stakeholders.

Finally let’s apply the questions above to someone who enters your facility. What can and should you know about them? Their authorized purpose and destination? Restraining orders or issues they may have with an individual who works, lives or goes to school at your facility? Nobody likes a long line or cumbersome procedure and that should always be considered for the impression your business leaves with the great majority of people who enter your doors to do no harm. But for those who do, your organization’s ability to detect, deter, delay and deny their ability to do so with effective information management as applied to the door can be the difference between whether or not an incident occurs.

Of course, security information communicated to the wrong people, in the wrong way, at the wrong times becomes at best nuisance and at worst contributes to people and organizations losing lives, property and reputation.

VRI empowers individuals and organizations to develop and communicate useful security information to the right people, in the right way, at the right times.