The Implications of Cannabis Use for Security-Sensitive Positions

Organizational risk management within the Information Systems (IS) landscape is evolving at a rapid pace, with a particular spotlight on security-sensitive roles that form the backbone of organizational security frameworks. At the forefront of this evolution are Chief Information Security Officers (CISOs), entrusted with the monumental task of safeguarding enterprise-related systems, mitigating external threats, and meticulously vetting third-party operators and vendors. As the workforce increasingly adopts remote and outsourced models, traditional risk management paradigms for security-sensitive roles demand a critical re-evaluation.

In this dynamic landscape, the need to address emerging organizational risks is more pressing than ever, but they require a new vantage point. One such risk, often overlooked yet increasingly pertinent, is the recent surge in cannabis use and its implications for security-sensitive roles. As organizations navigate this multifaceted challenge, integrating cannabis testing into risk mitigation strategies becomes not just a consideration, but a crucial imperative.

DEFINING SECURITY-SENSITIVE ROLES

Technology has allowed companies to increase the velocity and volume of data they collect on platforms ranging from website traffic to customer purchases and preferences. Included in this data is frequently valuable and personal information such as credit card numbers, social security numbers, system passwords, and even sensitive information about business dealings or practices. With more employees working remotely, and more frequently accessing emails and files via their smartphones, the potential avenues for bad actors to hack and access confidential information are growing.

Historically, the term “safety-sensitive” has been reserved for positions where a mistake could cause serious injury and/or death of an employee. Now, with added security risks of the digital age, many organizations are considering broadening the application of this term to include data-related roles. This decision includes an evaluation of the company’s data and its value, as well as a review of positions to be considered safety-sensitive based on their access to confidential and proprietary information.

While employees with access to confidential information are critical for the success and growth of a company, they can also present the greatest weakness when being targeted by malicious actors seeking to hack and access sensitive data. It is critical that these employees are never under the effects of any substance that could compromise decision-making, undermine security measures, or put valuable information at risk.

ORGANIZATIONAL RISK MITIGATION

A recent Hound Labs survey about cannabis use during the workday revealed that 36% of employees who use cannabis have used the drug at or before work. That same survey showed that individuals who use cannabis at or before work are 1.5x more likely to be employed at a company that does not drug test (60.4% vs. 36.1%). These rates are alarming when considering a single wrong click could lead to millions of dollars in damages, fines, and even greater losses in customer trust and loyalty.

For employers, this rise in cannabis use often translates to increased risks and ultimately, to increased costs for their business. The Recovery Centers of America recently released data showing that employers incur $81 billion in costs due to the impacts of drug and alcohol use disorders in the workplace. These costs stem from a variety of risks including workplace accidents, disability and workers compensation claims, lost productivity and absenteeism, turnover and recruitment. Another area of risk relates to data security, with the average cost of a breach reaching nearly $4.5M dollars according to IBM.

As risks and costs escalate, CISOs are being held to increasing responsibilities and accountability, both corporately and personally. Expanding regulatory pressures are not only raising the importance of the role, but also elevating its prominence in corporate leadership. CISOs are tasked with improving data security policies and initiatives such as Advocacy, Procurement, and User Policy and Behavior to enhance organizational risk mitigation.

ADVOCACY

Organizations that take a security-sensitive approach need to advocate for early adoption of risk mitigation tools to help both in-house and remote employees. It is the role of Information Security to advocate for appropriate policy changes to ensure that all employees and vendors are properly monitored for proper and ethical behavior at work.

To ensure proper protection, the CISO should advocate to Human Resources and other executive leadership for enhanced drug testing to respond to the changing regulatory landscape involving legal cannabis use across the country. Organizations should consider implementing recent use breath testing to help detect and deter workday cannabis use. With a cannabis breath test, employers can objectively determine if an employee has recently used cannabis, either by ruling out the drug or confirming it as a potential factor influencing employee behavior. Cannabis breath testing can help employers mitigate the risks of workplace incidents, deter recent use, and reduce costs related to workday use. Risk mitigation is also supported by ensuring vendors perform some sort of recent use cannabis testing.

PROCUREMENT

Risk mitigation does not stop with the employees under your roof. It extends to all vendors from which you purchase goods and services. Business use of outsourced vendors requires additional Information Security oversight to help ensure the protection of critical business functions. If a breach occurs, customers will not care whether it originated from your organization or a third party. When personal or sensitive information is shared, the expectation is that you will protect it. A breach or outage will ultimately impact your business, either as revenue loss, reputational damage, or both.

Adequate security oversight, including contractual and periodic security reviews, are key components of a comprehensive security program. It is vital for the CISO to be involved in vetting potential vendors and business partners prior to sharing confidential information. Key security thresholds should be established for contractual agreements with vendors, with periodic security reviews to ensure all activities achieve and continue to meet requirements.

Special attention should also be given to the vendor’s drug testing policy. Critical questions to ask include:

• Does the vendor have a drug testing policy?
• Who is tested and what is the frequency?
• What tests does the vendor use?
• Does the vendor have a method to test for recent drug use?

When establishing criteria for a vendor, the CISO should consider the holistic picture of all security measures, including drug testing, that the vendor has in place. At all times, the primary focus should be keeping company information protected whether in-house or with a vendor.

USER POLICY AND BEHAVIOR

While security-sensitive teams aren’t necessarily involved with drug testing programmatically-speaking, these employees play a critical role in helping organizations achieve their core, data-driven objectives. Cannabis testing may not fall solely under the purview of a security-sensitive team, but all stakeholders need to understand the purpose of risk mitigation programs and the keys to effective policy adherence among employees.

In conjunction with HR teams, the CISO should be an executive leader in setting and enforcing company guidelines for user policy and acceptable behavior. This includes updating drug testing policies to include random testing for safety-sensitive positions, as well as reasonable suspicion testing for all employees. Reasonable suspicion testing is conducted based on the immediate and direct observation of an employee exhibiting signs of substance use. It’s important to train managers and supervisors on the appropriate objective evidence that could warrant ordering a drug test based on reasonable suspicion. A general list of indicators may include:

• Observable behavior – including sudden erratic behavior or changes in an employee’s demeanor over time
• Performance issues at work – a decline in the employee’s usual job performance, increased absenteeism, or frequent tardiness
• Physical signs – including but not limited to dilated pupils, bloodshot eyes, or slurred speech
• Psychological signs – including but not limited to irritability and lack of focus
• Neglect of personal hygiene – a disheveled appearance or a sudden change in grooming habits
• Shifts in established patterns – such as drastic changes in work habits, social interactions, or personal relationships

The CISO and HR teams should be leading advocates for establishing and enforcing guidelines for user policy and acceptable behavior and ensure the rules are implemented efficiently, effectively, and fairly.

SHIFTING ORGANIZATION RISK MITIGATION STRATEGY

There’s a lot on the line these days for modern businesses and industries in the realm of Information Security. Leaders must be vigilant in addressing organizational risks both internally and externally – vetting systems, vendors, and vulnerabilities along the way. The time is now to adopt tools and solutions that enhance the employee experience while still protecting proprietary information. Those who develop risk management and Information Security best practices that include a recent use breath testing program will undoubtedly fare much better.

For more information on how to bring cannabis breath testing to your organization, download our latest eBook.