As organisations handle increasing volumes of sensitive personal data across global operations, maintaining consistent security and privacy standards has become a critical priority. Jim Desmond, Chief Information Security Officer at HireRight, tells us how the company is strengthening its security posture through standardised controls, automation and a continued focus on cybersecurity fundamentals.
How are you strengthening data security and privacy across HireRight’s global background screening platform as it scales across multiple regions?
In the past decade, we have seen security and privacy concerns come to the forefront of our business, as it has with any company dealing with sensitive information. Couple that with our global presence and the challenges can be daunting indeed.
We consider ‘standardising’ our information security and privacy controls critical to our security posture. We face this challenge from two perspectives:
First, from a privacy/regulatory perspective, we tend to adopt the most ‘restrictive’ requirements and implement that standard globally. For example, if one region has a cookie notification requirement (such as with GDPR), we will implement that across our enterprise because it is the most restrictive of the controls. There are potential exceptions where regulations may conflict, at which point we implement those on a regional basis. This perspective allows us to minimise exceptions, reduce complexity and stay focused on what matters.
Second is a security control focus. We use controls that are effective and provide the level of security that our customers need and expect. We replicate those controls globally, even in regions that might require a local implementation of our technology. Security is hard enough without having multiple disparate systems to protect your assets. Again, minimising complexity, with a focus on effectiveness, gives us the strong foundation we need to work from in a complex business.
What are the biggest cybersecurity challenges associated with handling sensitive personal and employment data at a global level?
Cybersecurity for any organisation that deals with sensitive information is a real and very important challenge—and we are no exception to that. We work hard every day to protect the data entrusted to us. With that in mind, the global aspect adds a layer of complexity that requires focus, maturity and dedication.
Even little things like time zones can have a significant impact. For example, we recently had a situation with an event log, thinking that an event had occurred twice over four hours. In fact, it was a single event, but the two analysts investigating it were based in different time zones, making it look like multiple events. If you are not focused and don’t have set clear procedures on how to align the work so that it is universal, costly friction can occur.
So, the biggest challenge is staying focused, maintaining maturity and dedicating the resources to doing the fundamentals the right way, every time. It can seem overkill at times, but when chaos hits, people fall back on what they know, and if your fundamentals are strong, your organisation will also be strong.
How do you ensure secure integration between HireRight’s platform and third-party HR systems used by enterprise clients?
Our integrations occur at the API level. We use multiple layers of control to ensure that our integration only provides the level of access needed to do the job asked—nothing more. We focus heavily on reducing our attack surface, meaning that there are multiple ‘hoops’ you need to jump through to establish, authenticate and implement that integration. While integrations can be conducted relatively quickly, these steps give our environment a defence in depth and additional protections against the unexpected.
What role does automation and AI play in enhancing threat detection and response within HireRight’s security operations?
Incident response is where automation and AI really change the game for our security team. Instead of analysts spending time triaging recurring alerts, automation allows us to handle low risk and/or well understood incidents immediately (for example isolating an end-point, disabling a compromised account, or addressing a phishing email), so our analysts can focus on things that require deeper analysis or immediate action.
That said, for a company of our size, AI is not about replacing people. We see it as a force multiplier, augmenting analysts with better prioritisation, faster investigations and clearer context. Human oversight remains critical, especially when decisions affect business operations, customer experience or regulatory exposure. Industry research consistently shows that successful programmes balance automation with governance, transparency and clear escalation paths.
While AI and automation continue to be leveraged by bad actors, they are also becoming essential in modern security operations. Cybersecurity teams need to be armed with tools that can help detect and respond at the speed and efficacy of their opponents.
How do you balance regulatory compliance requirements across different jurisdictions while maintaining a consistent security framework?
Balancing these regulatory compliance requirements across jurisdictions harkens back to the earlier question. We attack this by choosing the most restrictive option and deploying that as the standard across our enterprise. The goal is to minimise exceptions, which can be inefficient and costly as they grow in number. Additionally, a security framework cannot be so rigid that it conflicts with regulatory compliance—it exists to guide a security organisation to implement and maintain strong controls. A regulatory requirement can make things more complex, but I don’t think I have seen where it violates the integrity of a security control.
What strategies are you prioritising to protect against emerging threats targeting identity, verification and screening platforms?
The strategies we are prioritising are relatively straightforward. While there is a lot of change in the technology space, through AI and similar technologies, the need to focus on the fundamentals remains. Now more than ever, cybersecurity professionals need to stay focused on things like authentication, authorisation and data governance. The concepts and controls that got us to this moment can still serve as the core of a strong security programme. With emerging technologies shortening our time to detect and respond, we need to prioritise having a strong foundation from which to operate, reducing the chaos and uncertainty that can paralyse an organisation.
