Transparency – it is core to our approach to Insider Risk Management, so we felt it’s our responsibility to be transparent and share our own Insider Risk story and what we learned.
3 takeaways in from this blog:
- No one is immune from Insider Risk
- Insider Risk Management takes collaboration
- Stick to the facts, do not let emotion enter the equation
Got a second?
Do you know what an Insider Risk event “feels” like to a manager? I do. It’s a series of ups and downs that started with a simple text from the CISO: “Got a second?”
It was a Thursday around 5:50pm and I was shopping for my adult daughter who was laid up in her apartment sick as a dog. My wife was out of town with her sisters at a Harry Styles concert in Milwaukee and I thought a care package from dad would brighten her spirits. There I was, Chris Stapleton playing through my Airpods, list in hand, on a mission, going up and down the aisles of the grocery store grabbing some not so healthy stuff I know she wants, with a mix of healthy food mom and dad knows she needs. My mission was interrupted by Siri telling me I have a message: “got a second.” Now, I know our CISO well and consider her a friend, so of course I respond, “Yep” – not knowing that for the next 24 hours I would get a real-life dose of what it feels like to deal with Insider Risk. And then, the phone rang.
Me: Hey! What’s up?
CISO: Well, this is one of those calls you don’t want from the CISO. (Launch pit in stomach)
Me: Ok…what’s going on?
CISO: We detected one of your employees downloading sensitive data to a personal laptop. (Trigger dry mouth)
For the next 11 minutes, my focused trip going up and down the aisles of the grocery store turned to aimless roaming, listening to the CISO replay the details of the event to me line by line in precise detail, asking questions and outlining next steps for what would happen over the next 24 hours.
Shock
My first reaction was shock. I could not believe it. One of my team members? No way. All I could do was listen as the chronological facts were communicated to me line by line. As the details of the event replayed in my head, the ramifications on what it could mean to the company – the damage it could cause – I realized this was bad. I was frozen.
Relief
Once I got over the shock, relief set in. Relieved that security caught the leak, caught it in time and contained it. I failed to mention 24 hours before the text from the CISO, the employee in question resigned. It was their resignation that triggered the security team to examine their data activity. I felt relieved the security team had our back.
Anger
Shock and relief quickly turned to anger. Anger rooted in feelings of disappointment. Disappointed that a team member would knowingly put us at risk. Disappointed by the fact that this person was someone we trusted with some of the company’s most sensitive information – everything from product strategies and roadmaps to customer contacts and sales opportunities. I was fuming.
Excitement
Once the feelings of anger subsided, I could not help but get excited. We caught this. The people, process and technology we put in place worked as designed and it worked like a charm. It felt rewarding. From the transparency and professionalism of the security team to the collaboration with the legal and people team, we always presumed positive intent. What does the data tell us? What are the facts? The very process of Insider Risk detection and investigation and the facts that emerged shaped how we would respond in the right way for both the company and the employee. We practiced what we preached and our people, process and technology mitigated the risk and it did without fail.
Embarrassment
When things get personal, it’s hard not to point the finger at myself. I am the leader of a team that talks about Insider Risk each and every day. My team knows what our product does, what makes it unique, compelling, differentiated. We were in the midst of launching a new capability that could detect downloads from corporate applications like salesforce.com to unmanaged devices like personal laptops. This was something only we could do and we believed it was game changing and no secret to the departing employee in question. We had been talking about it for months and it was launching in a matter of days. We had been running the software internally for weeks putting it through its paces. It was standard procedure to run new capabilities internally before making it generally available to the market and my team knows this. My team also knows that downloading corporate assets to personal devices is a breach of policy. It’s a huge risk. I felt vulnerable and personally accountable.
Opportunity
There’s one thing about vulnerability and accountability as a leader – it drives us to think about opportunities for improvement. Improvements in communication, collaboration and clarity. Communication of corporate policy – you cannot use personal devices to get your work done – full stop. Collaboration across the team and the company around the problem we solve – Insider Risk and the core principles of our approach – transparency, training and technology. And most of all, clarity around our product – what we do that makes us so compelling, unique and a must have for any organization of any size and shape. Perhaps more communication, collaboration and clarity would have prevented this from happening in the first place. All I know is that I have an opportunity as a leader to reduce the Insider Risk my team might pose to the company. Imagine if all business leaders felt the same – personal accountability to keep company data safe.
Closure
So there it is…the leader in Insider Risk Management’s Insider Risk story. I personally could not help but feel that our own experience would benefit other organizations. Just because we advise on Insider Risk Management and build Insider Risk Management software does not make us immune to Insider Risk. It’s how we managed the Insider Risk problem that protected us and especially our customers from harm. So, yes it’s okay that Insider Risk feels personal, and it should because people are always involved. But, take a page out of what we learned from our own experience:
- No one is immune to Insider Risk – not even us – we all have departing employees
- Collaborative people and processes is what helped us contain our Insider Risk
- Our technology provided the facts we needed to do the right thing – for all parties involved
By the way, my daughter loved the care package and she is feeling much better. Everything feels like it’s back on track. Until the next one, because there will be a next one – I’m sure of it. Thanks for reading.
Learn more about how we did it
- Code42 Incydr Salesforce Exfiltration Detector
- Protecting Business in a Raging Job Market – with Transparency, Technology and Training
- Code42 Insider Risk Management