For those dealing with insider risks for as long as I have, justifying the mission can feel akin to providing results to Fermat’s Last Theorem. There are solutions to each challenge, but maintaining and securing buy-in against competing budgetary requirements is easier said than done. This is why measuring the efficacy of your insider risk program is so important. Insider risk programs are dynamic and require ongoing support. Measuring the efficacy of a program demonstrates the value of their resource allocation to decision-makers in a data-driven manner.
So how do we go about measuring the efficacy of an insider risk program? Here are five key areas to focus one’s attention: Risk, Communication, Education, Harmonization, and Alignment.
1. Prism of Risk
Most organizations make tremendous investments to protect the perimeter of one’s infrastructure, and rightly so. There are, after all, criminals and nations filled with deleterious intent looking for the weak spots to gain entry. That said, the 2023 Ponemon Cost of Insider Risks Report shows most insider incidents are caused by either negligent or outsmarted insiders. While it might sound obvious, reducing the mistakes (whether due to lack of attention to detail or being outmaneuvered), reduces the overall risk as detailed in the recent report.
Therefore, when we look at risk, it isn’t a kaleidoscope we encounter, but a roadmap for increasing the overall management and success of our insider risk programs. When measuring the efficacy of an insider risk program, it is key to look at the program from the prism of acceptable risk. The C-suite and board are the ones who will decide what is and isn’t an acceptable business risk. It is the insider risk lead’s responsibility to clearly detail the status of their program, so those who control the distribution of resources can say with confidence, “there are deltas about which we are aware, and we accept these and will invest resources to mitigate the risks.”
It is not enough to declare that you have an insider risk program. The board, C-Suite, and workforce must be educated about the program, why it exists, and what they need to do (and not) to achieve the program’s objectives. Without this knowledge, well-meaning insiders (your employees or contractors) will be none the wiser.
While messaging is important, insider risk training is foundational. This includes:
- Practitioners: Practical exercises or “practice.” To include on-the-job training where a novice is mentored by a journeyman, or table-top or live-action training scenarios. Training must flex the insider risk management processes and procedures and be designed to highlight both known and unknown security deltas. The results enable decision makers to understand the accepted risks and ensure these risks align with business expectations.
- Workforce: The trump card every entity has is the ability to provide in-the-moment reorientation when a member of the workforce demonstrates that they may deviate or have deviated from established processes, procedures, or regulations. Whether one is proactive or reactive depends on the telemetry at hand. When a proactive opportunity exists, individuals are given an early warning that their actions could lead to increased risk. If reactive, the opportunity to educate still exists, to educate, on how to avoid repetition. These are measurable, and as proactive engagement increases, one should expect reactive engagement to decrease.
4. Harmonization with industry standards
The National Insider Threat Task Force (NITTF) Insider Threat Program Maturity Framework provides a very useful starting point for measuring the growth and alignment of one’s insider risk program. Where any of the 19 elements are missing from an insider risk program, there is an elevated and unaddressed risk, and an opportunity to improve.
DTEX Systems’ InTERCEPT platform also has a useful capability for evaluating insider risk maturity, mitigation, and road-mapping for their clients. They have created a baseline, using data provided by their clients, which allows others within a given sector to self-measure where they stand.
In September 2022, the Intelligence and National Security Alliance (INSA) published a whitepaper on Measuring the Effectiveness of Insider Risk Programs and noted how “magic metrics” do not exist.
Instead, the INSA recommends organizations measure their maturity model and “what’s important now” to the organization. The idea is to align business objectives with the maturity model.
5. Aligning Insider Risk Management with Business Objectives
It is important to note that an insider risk program is not an island of itself. It must be aligned with the business objectives and support the success of those objectives whilst preserving revenue and reducing incident remediation expenditures.
As the INSA cautioned, metrics for insider risk management should be aligned with satisfying identified business objectives. For example, capturing the percentage of a workforce that has been provided the appropriate insider risk awareness training is a clear metric with 100% as the desired objective. The number of instances of proactive engagement compared with reactive engagement is another useful metric.
No Time to Waste
The expectation is very real that as an entity’s workforce becomes better educated around insider risk, the number of data loss incidents resulting from negligence or being hoodwinked will be markedly reduced.
Having programmatic objectives that align with business goals will reduce insider-led incidents, while allowing a more precise understanding of the health and maturity of one’s insider risk capability maturity.
According to the 2023 Cost of Insider Risks Global Report, the average annual cost of an insider incident is $16.2M – and the longer it takes to contain, the higher the costs. This should cause all insider risk program managers to gasp, as it is clearly less expensive to prevent an incident than to clean one up. Yet, on average, companies are only putting $200/head into their insider risk programs (when such a program exists). If one wishes to lead a program which is well resourced, one must demonstrate the efficacy of the investment by the C-Suite and Board.