A live conversation with Tag Cyber Founder and CEO Ed Amoroso
Today, I had the opportunity to have a conversation with Ed Amoroso, Founder and CEO of Tag Cyber. We talked about 5 misconceptions that arise when trying to talk about Insider Risk.
You can watch the full session embedded below but here are my notes on each of the topics and misconceptions we discussed:
First Question: What is Insider Risk and why does it need to be managed?
The scripted version: Insider Risk is data exposure that jeopardizes the financial, reputational or operational well-being of a company, its employees, customers or partners.
The straight version – Insider Risk is corporate data leaking as a result of the way people work.
Insider Risk needs to be managed because the policies, governance and controls organizations have in place are failing to keep pace with the speed of the organization itself. We are asking security teams to do the impossible – manage a corporate data leak problem with the same people, process and tech that was never designed for this level of risk.
A security leader I spoke with yesterday said it best: “I cannot manage this problem and protect the company using the same old Shakesperian approaches.”
Join us in our next session at https://code42.com/live
Top Five Misconceptions:
1: Insider Risk is just a training issue
Training is just one leg of the stool. Yes, we need security training that makes employees aware of security policies, but what we also need is more transparency and better tech. Humans largely make decisions based on 3 things: Time, Risk and Reward.
I’d like to see less training for security policy awareness and more teaching and transparency geared at making employees more risk-aware. Do they truly appreciate the risk associated with a decision to move corporate data from their endpoint to their own Dropbox account? Do they understand the risks of sharing files publicly on Google Drive? Will they think twice before they open a browser and upload that corporate strategy doc to their personal productivity cloud app?
Transparency is employees knowing that file activity like this is being monitored. The sheer awareness of risk to the company and to themselves is a huge deterrent. And of course, we need the tech to do it and do it without disrupting employee productivity or infringing on privacy.
2: Insider Risk is just a malware/phishing issue
Yes, Insider Risk can mask itself as malware or a phishing attack but it would be naive to believe Insider Risks is that definitive. The problem is nuanced. There is a ton of gray area – that’s why we believe in staying focused on the data – all data. Yes, an employee may have clicked on a phishing email and loaded malware on their device or the network. This is an insider risk – a big one. But just as big – if not bigger in terms of likelihood – is the employee that uploads sensitive files from their laptop to some random non-sanctioned app or emails themselves files using their personal email account. That stuff happens daily.
3: The problem of Insider Risk isn’t solvable
That’s BS…okay wait – let me reframe – the problem isn’t solvable using “Shakesperian” approaches to data leak prevention. Don’t get me wrong, there’s a place for data policies, governance and controls, but when the organization has empowered employees to have control, to govern themselves and thus workaround policies – what good are they? Companies need safeguards. The problem can be addressed, risk can be minimized, risk posture can be improved – but it’s gonna take us taking our policy, governance, control blinders off…let’s face it employees did years ago.
4: It’s impossible to get budget for Insider Risk
There’s always a budget to get. I go back to risk-awareness. Just as transparency is good for employees’ risk awareness, transparency about the problem and helping CISOs, C-Level execs and the Board be aware of their Insider risk-level is what’s missing in vendor-CISO conversations. Stop with the security speak – be transparent and start teaching execs and board members on their terms – the impact to the financial, reputational or operational well-being of the business, its employees, customers partners, investors, shareholders.
5: Zero Trust makes the problem of Insider Risk moot
The general idea behind this misconception is that because ‘identity” is the perimeter that no one is really an insider. That’s completely backwards from reality. If there is no perimeter than that means that every identity no matter whether contractor, vendor, employee or other represents an opportunity for Insider Risk. Zero Trust actually makes it more important to solve for Insider Risk not less.