Don Tennant | FROM UNDER THE RUG | POSTED 15 MAR, 2017
One of the most critical steps you can take to help prevent sensitive company data from walking out the door when an employee leaves is to conduct an effective exit interview.
That’s the assessment of Ron Faith, president and CEO of Datacastle, a data security and backup technology provider in Seattle. Faith is such an ardent believer in exit interviews that he personally conducts every one of them at his own company.
“The exit interview should be an opportunity to remind the employee of their obligations around confidentiality, and that what they may think of as their data is actually the company’s data,” Faith said in an interview last week. “So there’s a deterrent opportunity there.”
Datacastle provides technology that enables a continuous backup of every endpoint in the enterprise, including all of the devices used by the employees. And that’s extremely helpful information to have going into the exit interview.
Just as I had done my homework prior to the interview, Faith had clearly done his, as well. Much to my surprise, he was aware of my day job as a partner in QVerity, a company that does training and consulting in deception detection and critical interviewing.
“During the exit interview, you can ask them questions along the lines of, ‘Have you backed up this stuff personally?’ or ‘Have you moved things to a file sync and share repository?’ And they’ll either tell you the truth, or they won’t,” Faith said. “I know at QVerity, you guys have techniques to tell whether somebody’s lying to you or not.”
In fact, we at QVerity routinely perform exit interviews for clients, precisely because data loss is such a huge issue. To take Faith’s point a step further, it’s important to understand that successful information collection in an exit interview, or any personal interaction, is dependent upon asking the right questions, in the right way.
For example, Faith was spot on when he said you need to ask questions to determine whether the employee has violated any protocols. But consider this: When you ask an employee whether or not he has moved anything to a file sync and share repository, if he has done so, and if he has chosen to lie about it, he might very well have anticipated the question. He knows exactly what he’s going to say: “No.” And he’ll likely be able to say that without exhibiting any deceptive behavior.
But what if, rather than asking that question, you asked this one instead: “What data have you moved to a file sync and share repository?” That’s called a presumptive question, and it’s not only extremely powerful, but very fair. A truthful person can respond to it quickly and easily, simply by saying, “None.” But for a deceptive person, it presents a problem. Instead of asking the question he was expecting, you asked a question that suddenly he has to process. He’s likely thinking, What do they know? What am I going to say that’s going to keep me out of harm’s way? The discomfort you observe during that processing time is a very telling deceptive indicator.
Another very powerful type of question we often use in this scenario is called a bait question, and it might sound something like this: “Is there any reason that a colleague would tell us that he had become aware that you had moved data to a file sync and share repository?” Again, a truthful person can respond very easily by simply saying, “No.” But just as in the case with the presumptive question, a deceptive person will have to process it.
There are a couple of important things to remember here. First, there’s a big difference between a bait and a bluff. A bluff would be, “One of your colleagues informed us he had become aware that you moved data to a file sync and share repository.” We strongly advise our clients to steer clear of bluffs for a simple reason: They can easily get you in trouble. The deceptive person can pull the rug out from under you with one word in response: “Who?” When you hesitate and fumble your response, the employee will likely see that for what it is, and you’ve suddenly become an adversary who’s out to get him. You’ve made your job exponentially more difficult, because now the employee is likely to shut down — giving you the information you’re seeking will probably be the last thing he’s inclined to do.
That brings us to the second important thing to remember: You never want to come across as adversarial in any interview. You’re seeking the employee’s cooperation in the exit interview, and you’re not going to get it if he feels that he’s under attack. So even more important than what you ask is how you ask it. With any question you ask, and especially with these very powerful presumptive and bait questions, you need to remain very low-key, non-accusatory and non-adversarial. Of course, all of this takes some training, a point that Faith highlighted in the interview.
“Just as HR has to train managers on how to properly conduct interviews for hiring employees, I think it’s also critically important to train managers on how to conduct exit interviews,” he said. “And all too often, they’re not.”
Faith also shared some valuable insights on how to prevent data loss long before the exit interview takes place, and how to deal with data breaches when they occur. I’ll cover those topics in a forthcoming post.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.
CLICK HERE to read the original article in IT Business Edge.