Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

Part 2: Communication and documentation contribute to building a successful insider risk program.

When implementing an insider risk program, it is necessary to take foundational measures to integrate both technical and non-technical elements for a truly holistic defense.

There are eight components every organization must consider when building a successful program. Some components include why you need to use leadership advocacy and a proper governance structure to kick off your insider risk program—discussed in part one of this series.

In this post, let’s explore why you need a comprehensive communication strategy and the importance of documentation.


Before formally launching an insider risk program, you should develop a communications plan that aligns with the organization’s mission, vision, and values.

Most importantly, be transparent. Develop a strategic communications plan that explains the rationale for the program. Communication themes should help employees understand the “why,” include the holistic and preventative nature of the program focusing on employee welfare, inform employees of their roles and responsibilities associated with insider risk, and convey senior leadership’s advocacy and support of the program. When doing so, be sure the messaging is tailored to all levels of the organization.

Once messaging has been reviewed, finalized, and approved, broadcast the information in as many avenues as possible: webinars, emails, podcasts, posters, and company newsletters. This dissemination plan can also be used for the training and awareness campaign I’ll discuss later in this series.

A well-rounded communication plan should also account for the means and channels to receive insider information from internal and external sources. Although existing reporting mechanisms may suffice, you should also consider other dedicated means, such as the web or a hotline, making it as convenient as possible for people to help thwart insider incidents.


Formal documentation that outlines the mission, charter, roles and responsibilities, authorizations, etc. is imperative for a well-functioning insider risk program.

A comprehensive Concept of Operations (CONOPs) should be one of the first program documents and serve as the insider risk program foundation.

The CONOPs document should be a comprehensive “living document” and contain a mission statement—including an organizational definition of an insider, and descriptions of the insider risk program initial and full operational capabilities. Existing organizational policies should be evaluated for their applicability to the insider risk program, and a dedicated organizational policy should fully articulate the function and authority of the insider risk program.

It should also include associated appendices addressing such items as program staffing, resources, privacy, monitoring, and consequence management processes.

Part Three: What Deserves the Greatest Protection

In my next post, I’ll explain the importance of defining critical assets vital to business operations and leveraging technology—two more components in developing a successful insider risk program.

Need Help with Your Insider Risk Program

As the workplace becomes more complex and insider risks increase, organizations must ensure they can detect anomalies and prevent incidents before they happen. Leidos is your trusted partner to ensure the protection of your company’s critical assets and help you prevent an insider incident before it occurs.

Our array of insider risk solutions and team of insider risk experts are ready to assist you through all phases of assessing your current risk profile, creating and administering a comprehensive insider risk management program – including the best technology for your specific needs –  and helping you to respond to insider incidents if they do occur properly.

Contact us to talk to one of our insider risk experts today or download the white paper and explore the eight components every organization must consider when building a successful insider risk program.

Principal Consultant | Cary provides services to commercial and government clients through all phases of insider threat programs. Immediately prior to joining Leidos, he was the Counterintelligence Program Manager for a global communications and information technology company. Before that, Cary served in federal government for over 25 years and held intelligence, counterintelligence, and investigative roles with the Central Intelligence Agency, Office of the National Counterintelligence Executive, and Air Force Office of Special Investigations. He earned a Bachelor of Science degree from the United States Air Force Academy and a Master of Arts degree from The University of Utah.