On December 29th Gartner analysts Jonathan Care, Brent Predovich, and Paul Furtado published the first ever Market Guide on Insider Risk Management Solutions. Any first research piece is a big deal for Gartner and their clients, and this one is particularly interesting considering the events of the last 9 months.
In our analysis, three distinct definitions and key vendor evaluation criteria stand out in Gartner’s research.
- The definition of Insider Threat
- The distinction between Monitoring and Surveillance.
- The importance of Transparency and Privacy
As defined by Gartner, ‘an insider threat is a malicious, careless or negligent threat to an organization that comes from people within the organization — such as employees, former employees, contractors or business associates — who have inside information concerning the organization’s security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, or the sabotage of computer systems.’(1) Gartner leverages the ‘Rule of Three’ to further describe an insider threat.
Also interesting is Gartner’s clear delineation of the terms monitoring and surveillance. This delineation takes care to highlight the importance and value of having both an asset-centric and people-centric view of systems, data, and machines to ensure the proper understanding of ‘context’ as it relates to insider activities and intent.
Gartner’s definition of each term is:
- “Monitoring” refers to any technique or technology used to collect data from IT assets. Monitoring is asset-centric in its focus.
- “Surveillance” refers to the overt and covert use of monitors in pursuit of a comprehensive awareness of the activities of a defined person, or set of people, within a given context. Surveillance is people- centric in its focus.(1)
Importantly, Gartner calls out the risks associated with Insider Risk Management programs when not properly designed, communicated and implemented with the support of internal and external IT, HR, Privacy and Legal partners.
Specifically, the market guide suggests: ‘Surveillance of employee activities is not without risk. Organizations commonly monitor internal communications systems (for example, email or collaboration platforms) and investigate suspected policy violations. But expansion of these activities into a more pervasive inspection of the work life of employees can infringe on employee privacy expectations and rights in the workplace. Before organizations explore the use of insider threat tools and services, they must consult legal counsel and human resources leaders, and set boundaries on the capture, storage, sharing, analysis and destruction of data regarding employee activities.’
Our experience with more than 200 enterprise and public-sector organizations maps directly to Gartner’s recommendation concerning the importance of transparency, communication, privacy and internal alignment when designing and implementing an Insider Risk Management program. When communicated openly with employees and they are provided the opportunity to ask questions about the program including — what are the use cases, what type of information will be monitored, what behaviors will be surveilled, how will this information be used, who will have access to this information, and what policies are in place to ensure the proper handling of data collected in compliance with PII and GDPR – employees will often support the program and willingly accept some ownership of its success.
A complimentary copy of Gartner’s Market Guide for Insider Risk Management is available here.