Managing the risks presented by insider threats is, in large part, founded on historical counterintelligence precepts. In this webcast, I discussed three counterintelligence practices for the digital age and how these proven maxims may be translated into controls to enhance your cybersecurity posture.
- Be offensive: While today’s threats are ever evolving, one constant is the human element as a primary threat vector. Rather than merely responding to events after-the-fact, get ahead of a potential incident by identifying human threat indicators -- and offer risk treatments before threats materialize to better secure company resources and intellectual property.
- Own the street: Historically, physical surveillance kept watch over nefarious activities on our streets, and today we must have the same vigilance of the digital highway. Look to enhance your organization’s situational awareness to defend your assets, personnel, and reputation better.
- Don’t ignore analysis: The best insider threat programs have not only sophisticated technology, an established governance structure, and awareness and reporting programs, but also the means to discern the importance of each of these components’ results. It is only through appropriate analysis that data becomes operationalized information. Enhance your risk management operations with on-site teams to meet your analytical requirements from initial operating capability through optimization.
Below are a few questions posed by attendees during the live webcast and a recap of my thoughts:
1. Who generally leads this program? CISO or HR?
The leader of the insider risk program will vary by organization. My personal preference is for the Chief Security Officer (CSO), or perhaps even the Chief Risk Officer (CRO) of an organization to lead the program.
Many people think they need to attack the problem from a technical perspective and push it to the Chief Information Security Officer (CISO) or Chief Information Officer (CIO), but from what I’ve seen that may not be the most effective approach.
Obviously, there is also a Human Resources component, and HR will be a key internal stakeholder.
At the end of the day, organizations need to triage the information, and if the desired outcome is to protect the company, then insider risk is better aligned under a CSO role.
2. In your experience, how do employees react when an insider risk program is rolled out? Are they offended that they aren’t trusted and “big brother” is watching?
My advice, be transparent. Before formally launching an insider risk management program, develop a strategic communications plan that explains the rationale for the program and aligns with the organization’s mission, vision, and values. Communication themes should help employees understand the “why,” include the holistic and preventative nature of the program focusing on employee welfare, and inform employees of their roles and responsibilities associated with insider risk.
3. How would you have prevented the Edward Snowden NSA Data Breach Incident? Many still see this guy as a "Hero.”
Politics aside, whether you view Snowden as a hero or a traitor, there were many existing administrative type controls in place that simply were not enforced. If you have something on the books as far as a procedure, a policy, a law, it’s only as good as the enforcement mechanisms.
4. You mentioned relying on technical monitoring/IT-based data, that’s not enough. What are the alternatives or additional steps we’d want to take?
You probably want to consider those human-related elements, and that is something we often work with companies on because it’s a bit more difficult than getting that structured data that might already be in a database. Some things you might want to consider, what we call the psychosocial or behavioral type indicators, for example:
- Employee performance. Do you have someone who is continually on a performance improvement plan? You might want to increase their risk score because some behavior brought them to that point for potential termination from the company.
- Or, I’ve seen companies entertain use of credit scores from an external vendor to see if the person has a certain degree of indebtedness which could place them in that at risk category.
5. How do I convince my management we need an insider risk program to avoid a threat proactively?
Not an infrequent question and a very valid question. It’s back to what’s the problem you’re trying to solve with the program? We’ve had clients come to us to ask us to help articulate the business case to their management, and explain why they need a program.
This often comes from someone who listened to a webinar, or goes to a trade show and hears a pitch about why a program works and is needed. You have to fit that in with your respective corporate or organizational culture, understand the objective you are trying to reach, and at the end of the day if you still think it’s the right thing to do and you’re just at a loss, talk to us.
This is something Leidos takes on; we regularly assist our clients with framing the perspectives and arguments that help make the business case to management.
And, depending on what level of program you want to execute, this is not a simple or resource light type of proposition. It does take effort. You need a little bit more than just buy-in from the top; you need executive or leadership advocacy. If you can’t use your executive leadership team to be your evangelists, it may be a bit of an uphill struggle.
6. Based on your entire presentation, what would be your advice to those who are interested in beefing up their security and preventing insider threats?
The first thing would be to get a plan together. I’ve been to tradeshows where there’s a multitude of different technologies that promise to be the answer to solve all of your insider woes. And I’m not dismissing technology, as a matter of fact, it plays a very integral part of any insider program. But, we often say a tool does not make a program, it’s a part of a program.
So before embarking on any risk program, you have to think through the value proposition, what’s the risk tolerance of the organization, what’s the culture, and does it (an insider risk program) necessarily fit? You have to understand the playing field in which you want to deploy a risk program.
And most importantly, what are the outcomes that you want from a program. We often hear people come to us and say “we want to deploy a program, but we’re not sure why.” Figure out what your desired end state is from implementing a program, and then reach out to a company like Leidos to help you chart a course to your desired outcome.
7. Is there a white paper or other documentation that talks about the other Commandments?
Yes, I invite you to download the 10 Commandments Quick Guide companion piece.
Watch the on-demand broadcast for the full conversation: