freshidea - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Can companies safely fire an information security manager?

An information security manager has access to many privileged systems in an organization, so letting one go can be tricky. Expert Mike O. Villegas explains how to handle the process.

As a CISO, how do you know when it's time to fire an information security manager? C-levels tend to drop after a publicized breach, but what about the lower-level managers? And what precautions should you take when terminating information security managers, given that they have inside information about an organization's defenses and vulnerabilities? Should these employees sign nondisclosure agreements?

In the United States, employees without a written employment contract generally can be terminated for good cause, bad cause or no cause at all; this is called Employment at Will. Assuming the reason for termination has been vetted and this is the only course of action, the trick is how to terminate an information security manager who has extensive inside information about the organizations' security and vulnerabilities.

Information security professionals are generally informed when an employee is being terminated or hired. This process may be manual or triggered by an email request to the information security team to provision or terminate system access. Because security team members are familiar with the termination process for general employees, an information security manager requires a slightly different process.

If the cybersecurity manager is a risk of retaliation -- which depends on the reason for termination -- steps leading up to the exit interview must be discrete on all levels. The damage a disgruntled IT security manager can cause to an enterprise can be significant. Take every precaution to keep the eminent termination discrete. Very few individuals should have knowledge of the security manager's termination. Co-workers and friends of the information security manager should not be informed, and if they find out, they should at least be asked to remain quiet until management has determined the right course of action.

Careful preparation is required to terminate a cybersecurity manager's employment. On the day of the exit interview, HR should be prepared to escort the manager outside the building after the interview, or possibly after an opportunity to gather his or her belongings from his work area. During the exit interview, the following should occur:

  • Return of any company issued mobile devices such as cell phone, tablet or laptop.
  • Return of any fobs used for remote access, or physical access to restricted locations such as computer rooms or colocations.
  • Return of any proximity cards or badges that provide access to parking structures, buildings, computer centers, colocations or other restricted areas.
  • Return of any physical keys to his desk, safe, locked cabinets or doors that were restricted to information security.
  • All system accounts for network, operating system, remote access, email and specific information security portals need to be disabled -- not deleted.
  • Change of physical locks; cipher locks; encryption keys; and any sensitive authentications that he knows, has in possession or has control of.

All new and active employees should sign an acceptable use agreement upon hire, and on an annual basis, that not only defines acceptable uses of company resources, computing devices and information, but also includes:

  • A nondisclosure agreement.
  • Relinquishment of personal privacy when using company issued devices.
  • Compliance to the company's information security policy.

The company can obtain the services of outside forensic specialists to ensure all information gathered to justify termination is valid and supportable, but always ensure that these specialists are objective and credible.

Employment at Will includes termination without cause, but in most states that does not include terminations because management no longer likes them due to ethnic, cultural, religious, sexual or racial differences; because they have found information on executive management indiscretions; or because they have refused to ignore vulnerabilities as directed by management due to cost or annoying factors. Have the termination justification well documented before the exit interview.

If there is insufficient evidence to support termination, give the information security manager a paid leave of absence, removing all access as if it were a termination until a final conclusion is reached.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how to improve security by limiting privileged accounts

Learn how and when to end a vendor contract securely

Find out if new hires are required to have security certifications

This was last published in March 2016

Dig Deeper on Information security program management