Just as a good building will fall without a strong foundation, any program you can conceive can fail – no matter how bright the people, or how good the resources – without a solid framework in place first.
Likewise organizations should be committed to building their foundational insider threat program framework — what it seeks to accomplish, what the ultimate goals are — before moving into implementation. It is wise for insider threat program stakeholders to take a step back, and first ask, “What are the threats and risks my organization is currently facing?”
To fully understand the threats and risks, it is best to conduct a thorough risk analysis of each line of business that enables the insider threat program. Identify potential threats, prioritizing from high to low, according to the risks and impacts to the business. All organizations should be conducting a risk analysis on an on-going basis to stay on top of an evolving threat landscape. Conducting a thorough risk analysis is a critical first step in developing a focused, effective framework to combat the insider threats.
Insider threat mitigation efforts should aim to determine where their organization’s primary threats stem from, as well as the weakest links in their security infrastructure based on known security capabilities, trends in the various security domains, and security breaches in their own industry or sector.
Confucius said, “The green reed which bends in the wind is stronger than the mighty oak which breaks in a storm.” Similarly, an insider threat framework should be created to readily adapt to the changing security and insider threat environment.
Ideally, insider threat program stakeholders should choose to create a holistic framework that is modular and flexible – one that can evolve with technology, compliance demands, organizational imperatives, industry trends, resource allowances, and other business and economic factors. It needs to include security policies, processes and procedures across all vulnerable touch points — from how people are given access to critical assets — to how employee access is monitored and analyzed and how access is removed when an individual leaves an organization.
Once security policies, processes and procedures have undergone a rigorous review, the insider threat program will be better able to determine whether the organization should choose to improve existing processes or, potentially, scrap a system that is too flawed or ineffective and build new processes from scratch.
It is important to assess how existing processes actually work, and not just look at how they are theoretically supposed to work. For example, every individual within an organization may have a token or identification card to access the critical asset, and they may have been vetted and trained in the proper use of their access. But that does not necessarily mean that every individual or process always complies with these rules. A strong framework and assessment of that framework should remain focused on how well the security policies, processes and procedures are effectively mitigating insider threats in practice and make on-going adjustments as needed to bolster organizational security.