Insider risk incidents are on the rise, and critical infrastructure is increasingly being targeted. As 2023 nears, we believe establishing an Insider Risk Program should be a top priority.
Off the back of our SOCI event in November, we’re sharing a three-step approach for kickstarting an Insider Risk Program, drawing on some of the key insights from the panel.
CRAWL: Creating programmatic multi-stakeholder governance
One of the most common and frustrating challenges faced by newly employed insider risk program leaders is lack of buy in or support from the top. They get hired, given the tools and budget to ‘fix a problem’ only to find that when they need stakeholder engagement – which they eventually do – they hit a glass ceiling. All it takes is one person to say “I’m working on other priorities, come back later” for an Insider Risk Program to grind to a halt.
This is why it’s important to establish multi-stakeholder governance right from the start.
Establishing a framework with clear roles and responsibilities provides accountability that leads to better business practices and outcomes.
What’s also important to note is the culture that flows from the program. Having the CEO or executive-level decision-maker involved, and championing the program throughout the organisation, is critical to getting the culture right to accelerate time to action and affect change.
And when the CEO understands and believes in the Insider Risk Program, they can step in to find a solution if and when a roadblock does arise.
The Risk Management Program under the Security of Critical Infrastructure (SOCI) Act provides a starting framework for organisations to get the balance right.
“It’s about setting cultural change at the board level to enable organisations to have rational discussions around threat and risk, and how to invest for a more resilient company,” says Hamish Hansford, Home Affairs’ Head of Cyber and Infrastructure Security Centre.
This factsheet provides a high-level overview of the Risk Management Program.
WALK: Establishing a dedicated cross-functional team
Understanding insider risk means understanding that it is a human challenge that requires a cross-functional approach and the breaking down of silos.
Including people with different backgrounds – such as HR, people and culture, legal, risk, compliance and cyber – combined with the right governance structure in place is key.
Where the Insider Risk Program sits within an organisation is less important. Depending on the organisation and the governance, it may fall under people and culture, cyber or risk. So long as there are multiple backgrounds, skills and ideas working cohesively on the mission of reducing insider risk, the program stands a strong chance of being a success.
Then the group needs to consider hiring for a dedicated insider risk leader whose sole focus is to proactively manage insider risk.
Organisations would stand to benefit by thinking outside the box when it comes to employing insider risk practitioners.
“We’ve created our own skills crisis in security by being very narrow in our perception of what would make a good security person,” says Min Livanidis of Amazon Web Services.
Hiring people based on attitude, aptitude and soft skills will open the door for the net new talent that is needed to overcome the security skills gap, particularly in insider risk.
A major focus of the Australian Insider Risk Centre-of-Excellence, which opens in March 2023, will be recruiting and preparing the next wave of insider risk practitioners. If you’d like to get involved or to learn more, register via the Australian Cyber Collaboration Centre.
RUN: Discovery: people, processes and data-driven technology
The next phase of establishing an Insider Risk Program is discovery: not just of data, but actionable insights as well as the policies in place, the internal communications and the broader organisation’s understanding of insider risk.
One approach when starting discovery is to take stock and assess, drawing upon the intelligence lifecycle, and then preparing a proposal off the back of that.
Indeed, having a policy is one thing – but it needs to be a living and breathing document that is clearly communicated across the organisation.
“Most policies are boring, too long and are often used as policing documents,” says Rahn Wakeley of Dubber.
At the end of the day, an Insider Risk Program should protect the organisation, people and critical assets without being perceived to invade employee privacy. Striking the right balance between security and privacy requires meaningful communication and influence from the top down, not just of what the program will do – but what it will NOT do – and why.
Many security awareness programs fall short of enforcing policy because they lack genuine employee engagement and get in the way of productivity. The worst ones come with a threatening warning, which only gets the employee offside, making them more likely to circumvent security controls and rendering the training completely counterproductive.
Using ‘teachable moments’ is a far more effective approach.
“This is about giving people context on what they can do today to make things better tomorrow,” says Rahn.
A friendly, non-threatening notification highlighting the potential impact before ‘an event’ occurs is far more powerful than a reactive, ‘you’re in trouble’ pop-up with zero security impact.
With teachable moments, you’re giving the employee an opportunity to learn about a potential action and gravitate towards a more secure outcome.
Data is also important, but only to the extent that it proves valuable.
More data is not the answer, as we’ve seen with intrusive surveillance tools that simply hoover up data without addressing privacy concerns. The problem with the ‘big brother’ approach is two-fold: it completely erodes employee trust, and the data itself does nothing to actually address insider risk because it lacks context. What’s needed is relevant, behaviour-based metadata that shows intent and can be proactively used to address risk.
“If you can take data and turn it into an actionable insight, and turn the actionable insight into action, then you’ve created a value chain,” says Rahn.
MITRE’s Guiding Principles for Insider Threat provide the foundations that underpin successful insider risk management and can be easily adopted, regardless of organisation type or size.
When insider risk management becomes BAU
An effective Insider Risk Program is not a set-and-forget initiative. It’s a cyclical feedback loop that, if done right, gets easier over time until it’s a natural part of the culture.
No enterprise organisation is doing nothing when it comes to insider risk, and the idea that establishing a dedicated program is too hard is a total misnomer. The hardest part is herding the cats, but once on board and engaged, an Insider Risk Program becomes business as usual, where employees are productive and engaged, and security is a by-product of that.
We want to give a big shout out to Australian Cyber Collaboration Centre, MITRE Corporation, Providence Consulting Group and Commonwealth Bank of Australia for working with DTEX to bring together thought leadership events to share best practices around insider risk management. A great example of how collaboration helps us all to shift the needle.
Contact us to learn how we can assist you in creating an Insider Risk Program.