Article

With insider incidents on the rise, security leaders are taking a proactive approach to help blunt the negative impacts

For most organizations, people are their greatest asset. However, employees with access to information, technology, and facilities can also be your company’s greatest vulnerability — intentionally and unintentionally.

In light of recent mass layoffs and the rise of remote workforces, it is crucial for corporate security teams to establish robust processes and protocols for insider threat investigations. This proactive approach enables them to respond swiftly and even prevent incidents before they occur.

But for many security leaders, developing effective insider risk programs is challenging. In many cases, executive leaders fail to see the value. Or it can simply be too difficult to change the status quo. In this article, we uncover how three seasoned security leaders built insider risk programs that work. Specifically, you’ll learn:

Threat vs. Risk: Language Matters

“Insider threat” versus “insider risk” — which one should you use? Regardless of the program’s name, the choice sets the tone for employees and affects a company’s culture.

Naming a program “insider threat” can create an adversarial tone, leading employees to feel that you are targeting them. Whereas leveraging terms like “risk” shifts the blame away from employees and helps them see that the program protects them and the organization.

Dell Technologies’ Global Head of Investigations and Insider Risk Management, Tim Kirkham, has implemented two threat programs in his career. He explained that naming decisions come down to company culture.

“If you have your employees start to look at you as if you’re targeting them as opposed to protecting their hard work and keeping them safe, you’ve lost your program,” he said. “So really, for me, it was a matter of let’s figure out what our culture will bear and not whether this terminology will stick.” 

Think Big, But Start Small

Given the critical importance of insider risk mitigation, it’s tempting to want to set lofty goals and start big. However, while a clear long-term vision is important, the most effective programs start with a focus on small areas of immediate impact.

“The biggest mistake that I see people make is coming in to build an insider threat program with a great vision but trying to do it all at the same time,” Kirkham said. “You’ve really got to focus on what’s going to add value early on, what’s going to get the attention of your leadership and then keep the attention of your leadership.”

Kirkham focused on the secure offboarding of people first at Dell. Because every company offboards employees, developing a program for securing company data — whether IP, financial, or something else — is a great first step that any organization can tackle. 

“Everyone has people leaving the company, and the security of your information and your data is very important to your company remaining solvent,” he said. “The shareholders trust you to protect that information. If you focus on that first, you can demonstrate that there is an issue. This is an issue that we can resolve, that’s step one. And then you can grow from step one.”

Mary Paradis, Chief of Police & Executive Director at the University of Mississippi Medical Center, noted that starting small might also mean recognizing that not everyone in your organization understands insider risk as deeply as you or your team. 

“I wish I would’ve gone a little slower internally because I forget the people I’m teaching don’t know everything I know,” she said.

It Takes a Village

There isn’t a one-size-fits-all path every security team should take when building an insider risk program from the ground up. Cornelius Tate, Principal of Convergence Risk Strategic Advisors, recommended security leaders lean on their peers across the organization to build a program that works for their company’s unique needs.

“Every place is going to be a little bit different in terms of how you structure that particular group,” he said. “One of the things that I will say right off the bat is just like the book, it takes a village. It really does take a corporate village to be successful in this space.”

Tate emphasized that physical security teams need to foster cooperation across the organization — from cyber security to legal, and HR to facilities management.

“Working with the IT folks will be critical. They utilize things like data loss prevention because people may be attempting to exfiltrate IP or other sensitive data out of that property,” he said. “And legal is obviously important just to really set the appetite for the organization’s risk or if it has no risk but a potential liability.”

Similarly, Paradis cited her strong relationship with HR as the foundation of her insider risk program’s success. She noted that because so much information runs through HR, it’s essential for an insider risk program to have close collaboration with the HR team.

“I had to develop a relationship of trust with HR because everything that happens, they’ve got the intel on it, and it has to go through them. HR is kind of the wheelhouse of everything. We share intel, and that’s how we get ahead of things,” she said. “There are times when you use the whole group to develop an insider threat plan. And I think that we’ve been successful because we have a multidisciplinary team and work very closely with HR.”

While cross-team alignment is important, Tate also cautioned that even well-thought-out programs can be blocked by misaligned executives. He said that in a previous role, he pushed for an active shooter training program based on feedback from employees but was met with resistance from leadership.

“The CEO was dead set against any training because, in his view, it would only upset and worry the employees,” he said.

Proving ROI

Because executives are often the final decision-makers, gaining leadership support is critical. However, getting buy-in typically depends on your ability to prove that the investment isn’t just a cost center but rather a value-add to the organization.

Paradis shared that sometimes compelling events like legislation or reporting requirements can provide an opportunity to demonstrate value. For her, it was a 2022 joint commission report that required hospitals to report and make available all workplace violence incidents. 

Forming a behavioral response team that looks at code whites — an “all hands on deck” incident in a healthcare facility — Paradise instructed the group to track the total volume of incidents compared to incidents they were able to de-escalate.

“So I could sell that to a city manager or a chief of a police department that says, I’m putting this little bit of resource in, here’s my ROI,” Paradis said. “If I were you, I’d build this out and I’d have them working with other folks within the organization to capture the data and to make sure that we’re keeping our people safe and then buy-in from the clinical staff.”

For Kirkham’s offboarding program at Dell, leadership began to see the ROI when he presented it in terms of financial impact.

“We developed a way to monetize the information we’ve prevented from leaving the company, and money talks. We tried gigabytes of data, we tried file numbers, we tried all different kinds of things,” he said. “Nobody cared, and nobody listened until we created a formula with help from legal and finance. And with this formula, you can say, ‘Hey, this particular data set was worth $1 million over the next X number of years.’ Now people start listening.”

Next Steps: Culture Matters

Gaining cross-functional support, proving the value of your program, and choosing the right language are crucial best practices when building an insider risk program from the ground up. However, these steps take time.

One thing you can do today that can have immediate impact is to begin cultivating a “see something, say something” culture.

Kirkham stated no matter how hard you work to hire good people, even the best people make bad decisions under extreme stress. Unfortunately, there is no technology that can accurately predict these threats. The key is to educate employees to look out for warning signs before an incident occurs and remove barriers to reporting these observations. 

As Tate put it, “Employees have to have the feeling that they are working toward the greater good and providing this information. So you need to have some degree of anonymity for those employees that are making those reports because in almost every instance of a workplace violence active shooter incident, what people always say is that I knew something was going on with that person. It’s always after the fact.”

An effective insider risk program is a critical component of any organization’s security strategy as the threat landscape evolves. In complex organizations, it can be challenging to overcome obstacles like lack of budget or leadership support, but starting small and following best practices outlined by the leaders in this article can set you up for long-term success.

The post Creating an Effective Insider Risk Program appeared first on Ontic.

*** This is a Security Bloggers Network syndicated blog from Articles - Ontic authored by Kelsey Gunderson. Read the original post at: https://ontic.co/resources/article/creating-an-effective-insider-risk-program/