Security is viewed as a cost center in many organizations. If there is not already an insider threat program in place, its value will often have to be demonstrated to senior management first before additional resources are allocated.
If you are tasked with launching a new program (or overhauling an existing one) consider first how best to plan, carry out desired objectives, and deliver a message about the benefits of insider threat mitigation throughout the organization.
1. Be Inclusive When Assessing Insider Threats
Involve the right parts of the organization to protect your organization’s assets from malicious internal actors. Insider threat must be seen as an enterprise-wide risk. Beyond the security function, which is the underpinning of an insider threat program, other important departments include HR, IT, Compliance, and Legal. Each of these organizational areas, with its specialized focus, contributes a part of the picture when assessing insider threats. Gaps between them need to be assessed to determine where internal controls are weak or non-existent to eliminate “blind spots” in the insider threat program.
2. Elevate Insider Threat Awareness
Awareness is important, not only to high-level managers and executives, but also to front-line employees who are closest to the problem when a rogue employee begins to display counterproductive work behavior. Your organization needs to make clear which resources are considered proprietary and thus must be strictly controlled or protected. Employees must also be aware of those behaviors that are out of the ordinary and should be a cause for concern. As important, you should institute an internal culture that is focused on helping problem employees before they do real damage.
3. Nurture a Risk Management Culture
Insider threat program managers should work collaboratively to institute risk management across their organization. This risk management structure involves an awareness of risks and threats, and creates a mindset that security is in place for a reason. For a risk management culture to successfully take root, it’s important to cultivate a climate where everyone knows his or her roles, and understands that there is no negative repercussion for reporting a potential malicious insider — whether it turns out to be legitimate or not.
Organizations should seek to instill a risk management culture from the top down, so that senior managers provide a positive example of “living security” — and demonstrate that the organization’s policies and procedures are not merely empty documents. As with all cultural changes, the shift to risk management mindset won’t occur overnight, especially at a large or traditional organization where this has not been a priority.
A risk-based assessment of the organization’s internal security is an ongoing one. The insider threat is not a static problem. A strong defense-in-depth strategy that cuts across all relevant organizational functions — and has broad-based employee buy-in — has the highest probability of success.