Program approval is hardly the only challenge government agencies are facing: Many are struggling with funding their insider threat programs, and even if funding is secured and approval is obtained, all potential programs still struggle to actually deter insider threats.
So, how do you ensure that your insider threat program is not only approved and funded but is also successful at its core mission? You need to create an end-to-end insider threat process. Here’s how you get started:
End-To-End Insider Threat Detection
An end-to-end insider threat program defines the processes, procedures, people, and systems that all integrate to deter, detect and mitigate insider threats. Many agencies begin to work through these different elements but end up stopping short. In the end, they ignore key processes because they’re not deemed to be “threats to national security” as outlined in the presidential directive.
But just because an insider threat law or policy doesn’t explicitly require you to change a function or process doesn’t mean you should ignore it. By excluding certain processes, the result is a half-baked insider threat effort – one that leaves you open to the very threats you’re trying to mitigate.
Without defining your insider threat program as a holistic and interconnected system, budget programmers are more likely to group initiatives only according to functional areas and not as part of a broader portfolio.
For example, a budget programmer might find it necessary to fund user activity monitoring (UAM) on classified networks. However, the budget programmer might not prioritize the funding of downstream security specialists who review the incidents from the UAM. As a result, the network monitoring is useless since it has no funding for an effective response.
Instead, your agency’s approach should be to create an integrated, end-to-end system. An interdependent system is the only way to realistically portray your portfolio of initiatives (and how they interact) to budget programmers and senior leaders. In turn, this integrated information helps leaders make well-informed decisions about overall portfolio costs, risks, and trade-offs.
Figure 1. Insider threat issue tree.
Creating Your End-To-End Insider Threat Program
In order to move your insider threat program from a mere list of activities to an integrated system, here are the steps you need to take:
- Define objectives: Start by defining your goal for the program, your picture of success and how you plan to measure success. Don’t look to compliance issues first; instead, examine the lifecycle of an employee and all of the touch points and intersection processes. Then, evaluate those elements for a holistic perspective of insider threat drivers.
- Use an issue tree: Construct an issue tree to break down your objective into the key, mutually exclusive and collectively exhaustive drivers (see figure 1 above).
- Identify gaps: Pinpoint areas of risk and concern that you need to address in your insider threat initiatives.
- Ascertain details: With gaps identified, you also need to define process owners, funding sources and program requirements.
- Determine interdependencies: Evaluate your entire insider threat program and establish which functions are interdependent and which processes are essential trade-offs.
By creating your insider threat program holistically, rather than focusing on separate functions or drivers, your program, and budget managers make informed decisions about where each investment creates the most impact. And those well-informed decisions translate into approved programs, secured funding and successful threat mitigation.