The time between Thanksgiving and the Holiday Season break is most typically when companies review their employees performance. Most everyone has their views on Annual Performance Reviews since we are all involved either as a reviewer or reviewee. I created the following poll on LinkedIn to gauge what people thought about the annual review process – take a look here. I was very surprised by the results.
The post today is not a lesson in Human Resource Management, but I do often think about how people in Compliance, Legal and Information Security are really reviewed in terms of their job performance. In sales its easy – how much did you sell?
The conversation for a Compliance Officer or a Chief Security Officer is more complicated – how many FCPA infractions did you investigate or how many security breaches did you uncover? These roles are about protection and prevention and for the most part the teams operate in stealth mode and are seen to be doing their best work when nothing bad is happening. So a good performance review is about “nothing bad happened or nothing bad was uncovered”. Right? Wrong!
The best Compliance or Security Officers are actually “looking for bad stuff”, they are not sitting back complacently believing that their fort is secure. The very fact that “bad stuff has not happened” is the very reason to look harder. They are pre-emptive or pro-active and their mantra is to “find bad stuff before it happens”. Lofty aspirations, perhaps?
So shouldn’t performance be [at least partly] measured on vigilance and awareness rather than simply policies, processes and how well a team reacts to bad stuff as and when it happens?
Believe it or not we come across the “don’t tell me what I don’t want to know” attitude everyday. Catelas has an ability to look inside the business and monitor, yes monitor, how business gets done. Or more accurately we visualize the communications patterns of a company to understand “who knows who” and “how well”. For compliance and security groups we are used as a monitoring solution to better understand company relationships – who in my company has relationships with X, where you can fill in the blank X to be competitor, press, government official, etc.
But my point is that for many companies we often have to water down the “monitoring” term because our audience (the Compliance or Security Officer) does not want to look deeper than the job dictates. They are not interested in pro-actively seeking out potentially bad stuff for fear of finding something. Sure I understand that these teams are max’ed out or are operating within the Risk Profile of their company, etc, but in this age of Whistle-blowers and Self-Reporting, I honestly believe that the CCO in particular needs to step out of his or her comfort zone and start being more proactive. Blind ignorance is no longer an excuse.
What do you think?