Earlier this week, we had a great discussion on Starting an Insider Risk Program From Scratch with Clea Ostendorf and Andrew Shea, both Senior Risk Advisors at Code42.
You can watch the recording below, but here are the key takeaways.
Understanding humans is the most important thing
Too often in security we are told to focus on the latest widget as the solution to problems. This is particularly true when talking to solution vendors1. In this session, it became abundantly clear that technology alone is not the way to solve a problem like Insider Risk.
Insider Risk comes inherently from humans being…humans. As a result of merely existing within a system we introduce chaos. That can come in the form of accidentally sending an email to the wrong “Alex” in your address book, or from trying to take all of the organization’s most important data with you on your way out the door. Regardless, understanding the way that humans will work within a system is imperative to actually resolving the problem. Any Insider Risk program needs to start with an understanding and acceptance of the fact that human psychology isn’t going to change and the systems built around humans need to be accommodating of that, not the other way around.
When in doubt – Ocean Tomo
When trying to get a program off the ground and get buy-in from leadership, the question is inevitably going to surface as to “how big of a problem is this?” or “what is our exposure?” That’s where Ocean Tomo comes in. As a leader in intellectual property valuation and brokerage, they have calculated that from 1975-2020, the amount of an organization’s value accounted for by intellectual property has risen from 17% to ~90%.
If protecting 90% of your organization’s value doesn’t convince leadership, then likely nothing will.
While invoking the wisdom of Jean Luc Picard (😉), Andrew summed up some guiding principles for an Insider Risk program simply with the word “Engage.” In his mind, engagement falls into three buckets:
- Communicate early: Tell folks what you will and will not be doing as part of your Insider Risk program. Educate on proper ways to engage with data, make sure everyone knows what the stakes are and allow for line-of-business to tell you how they do their jobs. Communication is key to a successful program. Plan for it in both directions.
- Don’t be penny-wise and person-foolish: Don’t skimp on resources by throwing up barriers to collaboration and workflows which solve the problem on paper but in reality, only slow people down. This will lead to lost productivity, disgruntled employees and will only exacerbate the problem.
- Avoid punishment and focus on improvement: People will mess up unintentionally. Have the proper systems and relationships (between security and employees) in place to be able to have visibility into when these foibles happen and engage with the employee directly with a right-sized-response rather than an outsized punishment. Then, provide resources (in the form of tools, education, or both) to prevent the problem systematically.
For the full readout of what we discussed in the session, watch the video below:
1: Stares at website masthead self-aware-ly.
Now streaming: Code42 Live
This spring, Code42 launched Code42 Live – a series of live community discussion events to help solve the problem of Insider Risk. Recent guests have included Samantha Humphries and Chris Tillett from Exabeam, Elsine Van Os from Signpost Six, an Insider Risk Summit 2021 speaker, and Edward Amoroso from TAG Cyber.