Insider Threat Programs: Security and Due Process
This panel opened with two questions. What it would take to get people to focus on the insider threat? And why do those with government experience seem to get the magnitude of the insider threat more readily than those without such experience? The answers and consequent discussion would suggest that private enterprises have found their preparation for the insider threat moving naturally down the legal channels prepared by not only government practice, but by law, regulation, and the prospect of civil litigation.
Chaired by RedOwl Analytics COO Brian White, the panel included Eric Laykin (Managing Director, Regulatory Cybersecurity Services, Duff & Phelps), Matthew Tank (Senior Manager Counterintelligence, Insider Threat and Security Investigations, Raytheon), Bob Novy (Deputy Assistant Director, US Secret Service), Gary Harbison (Chief Information Security Officer, Monsanto), and Kirk Poulsen (Senior Vice President and Security Officer, Leidos).
Insider threats and a culture of security
The panel thought that, in general, Government people are quicker studies on the nature of the insider threat because they have a clearer appreciation of the magnitude of the risk. What's necessary to any effective mitigation of the insider threat, whether in Government or the private sector, is a culture that keeps up with people. People themselves aren't static. Their circumstances, opportunities, experiences, and motivations change over time, and so one polygraph examination, one background check performed twenty years ago isn't enough.
Designing an insider monitoring program
Unintentional insider threats, malicious insiders, and state-sponsored insiders present very different use cases. The panel advised training, transparency, and communicating to the insiders that they too are being safeguarded by the program.
It's important to keep the right stakeholders involved (human resources, compliance, legal, etc.). Consistency and education are vital. A monitoring program will be more likely to succeed if it's designed to be about employee protection first, and then about company and customer protection. Engage the population you're working with to give them a tangible understanding of what they're up against.
Connect it to an employee assistance program, and make it visible enough to be an effective deterrent to bad behavior, whether such behavior is intentional or unintentional.
Company leadership needs to be involved. Malicious insiders love silos. When the whole company looks at its business together, it can see across silos and distinguish the real from the merely apparent threats.
The due process of monitoring: what's in-bounds and what's out-of-bounds?
Within the Federal Government, the answer is relatively simple, according to the panel: you protect the "crown jewels," and you monitor those with access to them. Any activity, anywhere, should be in-bounds.
Harbison noted that in the private sector, "We don't go down to user level without cause, without there being an investigation in progress." The consensus was that any activity on the enterprise network should be in-bounds, with one exception: you want to steer clear of collecting on employee assistance program use.
White asked the panel about NISPOM, and how they're seeing it affect operations? In general they thought NISPOM has had a positive effect, especially in that it formalizes the insider threat monitoring process, but that in itself it doesn't constitute a complete insider threat program. (See the addendum at the end of this article for more on NISPOM.)
Moving an insider threat monitoring program forward
Companies now report insider threat metrics to boards and C-suites, and they may well highlight high-profile investigations to corporate leadership. Developing a reputation as a secure organization can make a powerful contribution to brand equity, and that contribution should be considered before dismissing security as a mere cost center.
The panel noted the importance of credentials, which of course when stolen enable outsiders to act as insiders. And credential thieves aren't the only people who become insiders in an extended sense. Right now companies are focused on their own personnel, but they will soon have to address their supply chain as well. In doing so, they should focus on the invaluable: neither all data nor all suppliers are created equal.
In conclusion, the panel noted that the insider is, after all, a human being. Ideation, planning, and reconnaissance all precedes the overt act. If you're able to look at significant life events, you'll be able to identify and mitigate problems early, and you may well be able to help the person who might otherwise have done you damage.
Like all human problems, insider threat monitoring comes down to management and supervision. Be dynamic, and recognize that humans change and humans adapt.
Addendum: notes on the US National Industrial Security Program (NISPOM)
In the discussion of NISPOM, it was striking to hear the extent to which company insider threat management resembled formal investigations, with much talk of probable cause, open cases, and so on. Some explanatory background may be in order. NISPOM (the US National Industrial Security Program) applies to companies that have facility clearances. On November 30, 2016, a major change to NISPOM, Conforming Change 2, went into effect. It requires affected companies to do the following:
1. Establish an insider threat program.
2. Designate an Insider Threat Senior Official, who must be an employee, a US citizen cleared in connection with and to the level of the facility clearance.
3. Report insider threat information to the Cognizant Security Authority.
4. Train relevant personnel.
5. Provide pertinent records.
6. Implement protective measures.
More background on NISPOM may be found here.