American View: Are you sure your secret information is actually secret?

Risk Management24 Jun 2025

If I had a nickel for every time a CISO promised their CEO that “all our company information is secure,” I’d have an emotional support yacht for my yacht. What is it that drives seemingly rational and educated executives to gamble their future on impossible promises and schemes? I get that non-technical executives get squeamish when boardroom discussions get technical, but is lying about your organisation’s vulnerabilities and activities really the best tactic for managing your peers’ anxiety?

This isn’t an “emerging trend,” just so we’re clear. Twenty-five years ago, I gleefully watched our start-up’s CIO get unceremoniously drop-kicked out of her throne when the board learned that she’d been lying about the reliability of the company’s connectivity … The CIO had claimed in official documents that our data centre had “multiple, redundant, OC12s” when all we really had was a single T-1. The kind that a backhoe is drawn to. Sure, we were hard down and losing revenue when the revelation happened, but the public discover of the boss’s duplicity was hilarious.

Anyway, I don’t mean to rant about the futility of lying in official records. Every rational adult leader understands this is a terrible idea. See ENRON, Iran-Contra, et al. You’re going to get caught; it’s just a matter of time. Instead, I want to focus on one of the – in my opinion – most bizarre aspects of these scandals: the perpetrators’ ridiculous confidence that their lies would never be uncovered. There’s a staggering arrogance to it that I find fascinating, no matter the scale of the attempted deception.

A great example of this came up in conversation this weekend. I attended a low-key dinner party on Saturday. Amidst the usual small talk, one of my acquaintances let slip that he’d accidentally uncovered a plan to make a huge percentage of his site’s personnel redundant soon.

This fellow – let’s call him Sergio – explained that he was reviewing all the shipping orders for the week to ensure that nothing got “jammed” in the system due to poor data entry, incorrect addressing, customs tangles, etc. This is what Sergio spends half his time doing every day: finding and fixing errors in routing that might slow down or stop the movement of goods from of his site.

It’s not what you’d call “intellectually stimulating work,” but it pays.

Most of the time, Sergio is bored by his work. It’s necessary, but not exciting. Most of the errors he corrects are predictable: fouled address data is a constant problem with their CRM system. Out of date addresses, typos, obsolete contacts, and similar preventable errors rarely get resolved at his company. Additionally, Sergio has learned to recognize aberrations in the data: those delivery orders that seem “off” to his unconscious mind are almost always flawed and require some sort of corrective action. Sergio’s pattern matching skills are finely tuned.

It was that skill that alerted Sergio to an abnormal package routing entry: a shipping order called for an item that his company doesn’t stock or sell to be delivered to a person, not to a business. Imagine that you worked for a tyre manufacturer and found an order in your sales system for a gallon of ice cream. Sergio’s discovery was that level of disconcertingly wrong.

To be clear, Sergio wasn’t digging into systems or data that he wasn’t allowed to access. This wasn’t a “hack” by any stretch of the imagination. Sergio was doing his job. This strange order wasn’t flagged as “secret” or “restricted” in the shipping system … but it probably should have been.

First, Sergio confirmed that the mystery package was to be shipped from a company warehouse to a home. That was a serious violation of policy, since Sergio’s outfit is a large scale B2B outfit. They never sell directly to consumers. On its own, this order appeared to blatantly violate company regulations. Was it an attempted theft? He wasn’t sure, so he dug deeper.

The next thing Sergio did was to verify the identity of the intended recipient. The order was being sent to a person, not to a business. Not a point of contact at a business, but a regular joe in the suburbs. This had never happened in all of Sergio’s time in the job. Unfortunately, he didn’t recognize the intended recipient’s name. Hardly surprising.

It’s hard enough to recognize the hundreds of people who populate your Teams meetings; no one can remember thousands of strangers flowing in and out of your remote facilities.

Rather than escalate his discover to upper management, Sergio decided it would be wise to get answers in advance for the questions he knew his boss would ask. Sergio applied his database kung fu skills to the ordering system and dug up every reent shipping record that matched the characteristics of this one aberrant order. What he found left him stunned:

It wasn’t just one aberration; there were over a hundred identical orders.
Every order was for a different recipient and shipping address; that is, one delivery each.
Every package was identical for size and weight data, suggesting a drop ship of a single common item to multiple individuals.
Every package was set to be delivered on the same day. This suggested a carefully planned operation.

Sergio combed through the list of recipients and started recognizing names of workers from his facility. Every name that he knew was a senior employee with high tenure. Sergio quickly put two and two together and realized what he was looking at was a batch of “farewell” gifts for senior workers who were about to be made redundant. “Oh, [bleep]!” he said.

Upper management had obviously been planning this mass termination action for some time; they already had the “thanks for playing” gifts in stock at Sergio’s faculty and had chosen who would be let go far enough back that those workers’ home addresses had been transferred from the company’s HRIS platform to the company’s CRM system. Sergio considered the effort that would take and concluded that the layoff plans had probably been in the works for months. The date the packages were to be shipped was likely the day that hundreds of pink slips would be issued.

Sergio silently pondered the implications of his discovery, then thoroughly erased all his notes. His name and home address didn’t show up in the recipients list but that could change if he sounded the alarm. Executives get pissy when their “filthy underlings” get “ideas above their station.” Sergio needs his pay cheque; I can’t blame him for prioritising survival over business protocols.

Paranoia is no longer a “mental disorder” in corporate America; it’s a competitive advantage.

What really killed me about Sergio’s story was how arrogant and contemptuous his company’s executives seem. They appear to have made no attempt to mask their involvement in this cold blooded “force reduction” scheme. Instead of hiring a third-party to handle the logistics, they made all the delivery arrangements in their own shipping system using real employee names and home addresses. Anyone in their Dallas plant could’ve stumbled onto the evidence that revealed the plan. It was so lazy … ye gods, what a bunch of fools.

It’s that last idea that stopped me in my tracks and left me staring at a fern for the next twenty minutes. What sort of cognitive bias or psychopathology had led to this kindergarten level screwup? Did the powers-that-be at Sergio’s organisation dump the dirty work on their least competent minion deliberately? Were they setting up a patsy to take all the blame when the layoffs were inevitably leaked? Or did the higher ups really trust their designated organiser to get the job done in perfect secrecy? I’ll probably never know, but I’m darned curious.

The last thing I want to stress on this topic is a reminder that every “sinister corporate conspiracy” comes with a torrent of leaks. The evidence of deliberate fraud is always there if only someone bothers to look. Consider how easily massive financial frauds have been meticulously documented by investigators because most people aren’t good at keeping secrets. That goes triple for people in power: the higher up on the totem pole a leader is, the more likely it is that they’ll rationalize that their success came from personal brilliance rather than dumb luck and random chance. That flattering self-image fuels delusions of competence. Hence, easily preventable exposures like the one Sergio discovered.

If your remit includes insider threat hunting, be sure to take obvious evidence seriously. I know it’s tempting to dismiss the blatant and unbelievable clues to malfeasance as improbable; I call it the “no one could be that stupid” rationalization. I’m telling you … the biggest conspiracies are usually the dumbest and sloppiest. Take those obvious clues seriously get digging. Your suspects are usually so breathtakingly arrogant that they’ve done your work for you in documenting their misdeeds.