Since the 2020 Gartner® Market Guide for Insider Risk Management (IRM) Solutions, we have seen the world around us change drastically. In 2022, data protection strategies have had to evolve to encompass hybrid and remote workforces, increasing reliance on contractors and third parties, and a giant leap in digital transformation to accommodate these changes and keep employees productive. And we now know this shift is long term, rather than a temporary solution for the immediate gaps created by the sudden shift to remote work.
Code42 was recognized in both Market Guide reports to date, and we see clear alignment with our research on the growing scope of Insider Risk and Gartner’s. We think Code42 has also played a defining role in developing the vision and requirements for the IRM category – now recognized by industry analysts – and is a founding member of the Insider Risk Summit and Insider Risk Community. Our own research from the Annual Data Exposure Report 2022, which is cited as evidence in the Market Guide, substantiates just how significantly data leaks are growing with the workforce shift during the past two years – over half (55%) of respondents are concerned that employees have become lax in their cybersecurity practices/protocols, and 73% report Insider Risk is a big problem within their company.
Gartner found that the increase in a hybrid and remote workforces, compounded with vendor integration, has prioritized Insider Risk management as a focus area for security and risk management leaders.
We noticed 4 critical changes in this year’s Market Guide for Insider Risk Management Solutions:
1. Gartner recommends developing a formal Insider Risk program
As the workforce has changed over the past two years, so has reliance on cloud applications and BYOD. The massive technology shift that enabled employees to remain productive when working from anywhere brought with it the risk inherent to data accessed and used without a clear perimeter. The technology that’s critical to getting work done is actually putting that work at greater risk, because sanctioned and unsanctioned activity can appear almost identical. Our Annual Data Exposure Report found that there is a one-in-three chance (37%) that a company will lose IP each time an employee quits. Gartner has clearly defined the solution requirements, and in light of the changing way we work, we see a more clearly defined need for Insider Risk Management, too. Because insider threats are distinct from traditional attack detection and response, Gartner recommends, “developing a formal Insider Risk program.” Gone are the days of hoping that your normal SOC processes will deliver signals of prioritized Insider Risk or usable workflows for those investigations and responses. Distinct toolsets that focus on monitoring both your internal data infrastructure and cloud-based environments for untrusted data movement are needed. So is a response framework that applies proportional risk mitigation intervention to the level of the threat. Code42’s right-sized response methodology enables action with responses that are proportionate to an activity’s risk severity without standing in the way of employee collaboration and sanctioned file activity.
2. Security and risk management leaders are looking for technology that leverages context and automation
Gartner highlights that, “Buyers in this market have an expectation that functionality such as user and entity behavior analytics (UEBA) will be an embedded feature in the selected toolset.” (And they renamed the UEBA category to Insider Risk Management in 2020). Security professionals want to see the context that accompanies data exfiltration and other Insider Risks while investigating them, and that needs to be taken into account in the prioritization of activity that actually requires their review. Without that context, all of the user activity that might represent risk is just noise. Technologies that analyze user behavior are folding into IRM solutions–and security ecosystems are playing a key role. By tying together that context, investigation capabilities, and the responses to make that risk signal actionable, ecosystems are enabling the seamless integration with existing IAM, PAM and SOAR solutions and processes that overburdened security teams have been asking for. Additionally, Gartner points out the need to think about user education and awareness training in the context of Insider Risk, noting the “lack of focused education and awareness around Insider Risk.” A more security aware culture is one of the best ways to deter insider threats in the first place, and should be wrapped into the response workflow.
It’s also interesting that Gartner notes some older methods for detecting risk are falling out of favor with an increasingly robust Insider Risk Management solution landscape. “IRM tools focused on using only user-created rules and workflows are starting to be abandoned by the market.” Security needs to shed the blocker stigma to enable new workforce shifts, and clunky, policy-based tools don’t help.
3. Mandatory capabilities of enterprise IRM platforms are outlined
For the first time this year, Gartner has listed four mandatory capabilities for solutions included in this market (see the Market Guide here to view those requirements in the context of the report). The focus on SOAR integrations, response workflows, and risk modeling reflect what Code42 is hearing in the security community. The need for enhanced integrations into SOAR platforms for customers with custom playbooks, for multiple response mechanisms based on the context of risk, and for the ability to easily report on risk trends are critical capabilities for flexible, fast containment of Insider Risk.
We’ve seen how little time security leaders have to figure out what risk requires their attention, and how traditional SOC processes don’t work to contain and respond to those risks. Our Incydr and Instructor products have evolved to support three areas of response controls: containment, education and resolution, with pre-built integrations to sources of data risk (think Slack, GoogleDrive, Box etc.) and to SIEM and SOAR platforms to speed response in whatever way your team works today.
4. Gartner believes that the hazards of poisoning organizational culture outweigh any perceived benefits of productivity tracking
In this year’s Market Guide, we also saw an emphasis on the need to design risk mitigation strategies that take into account the position of trust that insiders have in an organization. At the heart of these insider threats are employees–not external adversaries, but the folks you trust to create your most important data, and investigating and responding to risks that stem from your employees means working with a wider team (including HR and legal) and rooting your strategies in the type of workplace culture you want to enable.
The report also points to a disturbing trend in a subsection of the market aimed at assuaging the fears of managers who can’t see their employees while they’re working from home. In this part of the market, there’s been some conflation between IRM and productivity monitoring, but “Gartner believes that the hazards of poisoning organizational culture outweigh any perceived benefits” of using IRM for productivity monitoring, and we couldn’t agree more.
As a Representative Vendor listed in this year’s Market Guide for Insider Risk Management Solutions, we share the authors’ emphasis on solutions purpose-built to tackle threats that originate from inside the organization. Code42 Incydr and Instructor are designed to give you the visibility, context and control needed to stop valuable data from going to places you don’t trust without slowing the business down or jeopardizing a culture of transparency and trust. By offering responses and integrations with SOAR that support containment, resolution, and education, you can respond in a way that’s proportionate to an activity’s risk severity.
Traditional external threat investigations responses can be detrimental to organizational culture when applied to insider threats. Code42’s Empathetic Investigations™ Approach is a new way of conducting Insider Risk investigations rooted in presuming positive intent. This approach empowers security teams to develop trust and build relationships with users so employees make safer and smarter decisions to keep data secure. You can learn more about our approach and how it aligns with the 2022 Gartner Market Guide for IRM here.
Gartner, Market Guide for Insider Risk Management Solutions, Jonathan Care, Paul Furtado, Brent Predovich, 18 April 2022
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.