CISO Advice: Shooting Might Not Be The Best Option

CISO Advice: Shooting Might Not Be The Best Option

One of the perks of being a Senior Implementation Advisor at Xpandion is hearing our customers describe their many juicy company stories. And let me tell you, there are some doozies. This most recent one is a very interesting case.



Our system caught an employee trying to download his company’s full customer list, including each of the customer’s yearly sales figures. Now, this employee works in the warehouse and the system identified a deviation from his normal “warehouse activity” of updating stock, issuing goods, etc. Producing customer lists belongs in the application area of Accounts Receivable, i.e., customers, and this activity obviously does not fit the warehouse user’s regular application area of Logistics. The system sent off an immediate alert, the security guys went to see what was going on, and the thief was caught red-handed.

So then what happened? Did they report the incident to the local police office or alert the tabloids? Well, surprisingly, the company took a totally different approach. They put the guy through their own internal judicial system, and following his admission of guilt, lowered his salary, took away some of his pension and published the story without using his name, to the entire company.

So now you ask, why?

I asked the company’s global CISO (Chief Information Security Officer) that very question. How is it that an employee, who was clearly caught in an almost criminal act, didn’t face Federal law and got to keep his job?

The CISO explained to me that although such a serious act was committed, the employee was very good and the management wanted him to continue his work. Furthermore, settling a police report could take years, but this approach took exactly one week from the time of the incident, allowing the CISO to focus right away on publishing the story internally and preventing anyone else from committing future fraud. The most significant result, from the CISO’s point of view, was achieved – that of instilling fear in others. “I don’t have to fire anyone in order to prevent fraud,” the CISO said to me, “publicly divulging that someone had been caught and lost some of his pension created the right atmosphere that would be effective long term.”

Publishing the case so quickly created an effect that a police report couldn’t, and at the end of the day, preventing the next fraudulent act is the main purpose of security managers. From the CISO’s point of view it was the most effective response and a great closure to the situation.


From being in the field, I must admit that the impact I’m seeing at this company is amazing – this case has been the hot topic of conversation, and the possibility of further fraud has decreased. I also learned a good lesson that experienced CISOs know – you don’t have to pull the trigger in order to create impact; sometimes just having a gun in your belt does the trick.