Skip to main content

The 3 “T”s That Define an Insider Risk Management Program

Shift your security culture from “watchdog” to guide dog and everyone wins

“As companies launch new flexible work policies, software for monitoring employees’ productivity is gaining popularity worldwide. Employee backlash will grow as firms overreach, leading to an appreciable drop in technology satisfaction and employee engagement as tracked by Forrester’s EX Index. In response, CISOs will overcorrect by reducing the scope of insider threat programs, thus, increasing risk. They must educate their organization about the program’s benefits and ensure employees understand the boundaries that prevent disproportionate and unethical monitoring.” 

Forrester Predictions 2022: Cybersecurity, Risk and Privacy

There are some organizations that need an Insider Risk Management program but fear being seen by their employees as Big Brother. Proposing the idea alone is an HR Director’s nightmare. But there’s no need to throw out the baby with the bathwater. In other words, it’s possible to maintain both employee satisfaction as well as a successful Insider Risk Management (IRM) program. Here’s how:

There are three main components that work together toward the success of any IRM program while promoting a positive security culture. You must employ all three, for any one alone will not lead to your success. I’m talking about, Transparency, Training and Technology. They work together to support the notion of everyone working together as One Team to reduce your Insider Risk events and improve your security posture over time. 


IRM starts with a commitment to transparency. Transparency with employees around what is monitored, how and why. Transparency with business leaders about where risk exists to the data they care about most. Transparency with business partners when the organization is at elevated risk. Transparency with execs about the resources that are needed to protect data and why.

Like shadows lurking in the dark, Big Brother only exists because of the mystery of who is watching, how they’re watching and what they’re watching. To employees, it can feel like they are being spied upon, which fosters distrust towards security, your program and even the company. 

To flip the scenario, employees from the top down must be key partners in reducing risk to the organization and require transparency around what is happening with data day in and day out. 


Good user training is foundational to a successful IRM program. Training that is data-driven and tailored to specific Insider Risk events. Training that is proactive based on the risk tolerance of the business and its leaders. Training that is situational based on organizational change and milestones. Training that is responsive based on real-time Insider Risk events posed by employees.

Recruit employees to be your partners, not your adversaries, in protecting company data. In order to be a leader and good partner in a One Team way of working, you’ll need to set your employees up for success. Talk to them during onboarding  and be proactive so they know their role in protecting the company. Be clear about what data is theirs and what is the company’s, and where personal and corporate data resides. And then be at the ready with reactive training you provide when they slip up. You can also make training available when their role changes, they are promoted and/or gain access to more sensitive systems and data sets. It’s even a great idea to have training ready to provide direction if they leave the organization. Even then, you can set them up to avoid the common mistake of taking company data with them – and do it in a friendly, empathetic way. 

The most impactful training is delivered at the moment you realize employees moved data somewhere they shouldn’t have – when the error is freshest in their minds. We call this responsive training. 

For maximum effectiveness, consumption and retention, your training should be short (1-3 minutes), timely, and friendly and offered as guidance, not punishment. Always presume  positive intent by starting with something like, “Hey we noticed you moved data to your personal cloud account. Did you intend for that to happen?” Such empathetic transparency allows you to understand the why and offer guidance to resolve the problem while helping the employee make different, more secure choices moving forward. One employee at a time, one cooperative interaction at a time with empathic guidance will pay major dividends to your program in building a more security aware culture, thus reducing Insider Risk to the company.


Of course you need the third “T”, technology, to round out the success of your Insider Risk Management program. Technology that identifies where untrusted data exposure exists. Technology that helps security define what risk matters to business partners and prioritizes when security analysts should be alerted. Technology that enables security to use right-sized response controls and empowers security to improve Insider Risk posture overtime. 

The sad truth is that data exfiltration events are usually realized after the fact – after an employee leaves the company, the sensitive information has already been shared outside the company, and the competition has used the information. By the time these things happen, it’s too late – the damage is done and the only course of action is litigation. Technology like Code42 Incydr arms organizations with the unique ability to identify data exposure and exfiltration in near real time, empowering Insider Risk analysts to work with employees and business partners to determine the level of risk severity and the appropriate response to not only remediate, but mitigate future non-compliance with data use policy through training and education.  

Through transparency, training and technology, IRM empowers security and risk teams to become better business partners, employee enablers, solution innovators and value creators by fostering a more risk-aware workforce. 

Once you have your plan and are implementing the three T’s, you will likely need to adjust how to respond to data risk alerts. When events happen, responses start with conversations that are more exploratory and less investigative in nature, requiring more nuanced soft skills that eliminate the interrogation room (until its use is needed). The tone of how your team interacts with users will be important. We will address those in the next post on Part II: Empathetic IRM Investigations. Stay tuned…

The post The 3 “T”s That Define an Insider Risk Management Program appeared first on Code42.

About the Author

Mark Wojtasiak is a guest speaker bringing more than 20 years of B2B data storage, cloud and data security experience with him. He co-authored the book Inside Jobs with Joe Payne, CEO of Code42, and Jadee Hanson, CISO & CIO of Code42.

Profile Photo of Mark Wojtasiak