Having worked on insider threat programs for nearly 30 years, I’ve come across some common myths and misunderstandings. For those not as close to such programs, we define an insider threat as a current or former employee, contractor or business partner who has or had authorized access to an organization's networks, systems or data and intentionally (or unintentionally) exceeds or misuses that access in a manner that negatively affects the confidentially, integrity or availability of the organization’s information, operations, resources, personnel or information systems.
So myth #1: Insider threat is a cybersecurity issue. Actually, the cybersecurity function, while significant, is just one pillar of an insider threat program among many, including human resources, legal, physical security/facilities and communications. All of these stakeholders need to be equal partners with a seat at the table to achieve an effective insider-threat program.
While organizations often place their insider-threat program with the Chief Information Security Officer, this may not be the best approach. The problem with elevating any one function is creating an imbalance of views in a program where collaboration and trust are vital. Inevitably, there will be fundamental differences between stakeholders, such as between security and HR for example when it comes to sharing internal data vs. privacy policies and regulations.
Where, then, does the ownership of an insider-threat program belong? Large organizations can place it almost anywhere, as long as:
- It is clear that no one stakeholder is more important than any other.
- The executive sponsor must be able to arbitrate between the stakeholders.
Small companies that don’t have formal stakeholders can appoint and train any senior person with the capability to bring together the right people to address inside threat issues.
Within our U.S. federal government business unit, our insider threat program executive sponsor is our Senior Vice President of Strategic Operations. We found that the operations function is a good default owner for insider threat programs because they provide support across all staff functions and business units.
Myth #2: Insider threat can be solved with technology. The reason technology can’t solve this issue is because insider threat is primarily a people issue. All employees bring risk to the organization, from the chief executive on down. But what an organization needs to know is: who brings the most risk? This can be answered only through collaboration among the stakeholders identified above, not just at the database level but also at the human level as part of a culture and mindset that promotes regular discussion about what they are seeing.
Typically, each department/stakeholder collects its own data and holds it in its own silos. Each department also tends to set their own risk flags and alerts. Insider threat effectiveness requires sharing, aggregating and correlating data to provide a more complete picture and enable triggers based on a multiple, cross-departmental view of information. This is where technology certainly can help, such as data analytics and monitoring services.
At CGI, we use state-of-the-art cybersecurity monitoring tools to provide ongoing monitoring services, real-time reporting and immediate action on suspicious activity. Our managed security services can be performed from the client’s premises or CGI facilities.
Myth #3: Insider threat is a new issue. In reality, insider threat has been around for hundreds if not thousands of years. Think of the caveman who stole fire (one of the first propriety technologies) from another tribe. Insider threat has gone by many names, including theft, corporate espionage, sabotage, insider trading and many more. It really does not matter what you call it as long as you have a program in place to address it.
The bottom line is that every organization is different in terms of its structure, the data and assets it seeks to protect, and the rules and regulations of its particular industry. Where an insider-threat program belongs also may change over time, but the key success factors are these:
- A documented program
- An equal seat at the table for all stakeholders
- A common understanding of the problem set, shared goals and objectives
- A willingness to share information
From the U.S. federal government perspective, the National Industrial Security Program Operating Manual (NISPOM) Conforming Change #2 will require contractors with access to classified information to have an insider threat program within 6 months of publication.
CGI believes every organization needs an insider threat program. The scale and complexity of programs may vary, but if you have proprietary or intellectual property, or deal with client information, classified or not, the information needs to be protected and CGI’s advisory services can help you tackle this problem from the inside out.