2018 was an interesting year for Insider Threat. While most CISOs were already painfully aware of the risks posed by insiders – both malicious and inadvertent – the public has a growing understanding of how business can suffer because of employee misbehavior. In a well-publicized case filed in the Northern District of New York, an all-too-common scenario serves as the perfect illustration: an engineer who worked for a large U.S. company was accused of stealing trade secrets (see, for example, coverage from the WSJ. While this case is still making its way through the court systems, it appears that good sleuthing from defenders detected the data leak, but not before significant damage potentially occurred.
Part of the challenge with insider threat mitigation stems from the complex relationship employees have with their employers. Thus, while there are technical steps that companies can deploy, optics, trust, and privacy can provide significant drag to adoption. To this end, I’d like to examine these issues head on, and provide some guidance on how to chart a course through this minefield. If done correctly, a significant win/win exists for the defenders and those they are charged with protecting.
Let’s start with the elephant in the room: trust. I’ve argued many times that for maintaining security, the ability to leverage trust is a superpower. Moving away from simplistic models of “good” and “bad” allows companies to take a more nuanced and ultimately more effective approach to securing networks. While creating concepts of digital trust for machine-to-machine interactions is relatively straightforward, understanding the complex web of trust that exists between humans is much more complex – and rapidly changing (for an approachable introduction to this area, I recommend Rachel Botsman’s book “Who Can you Trust?”). As Botsman notes, some of the most powerful technology companies in the world (Uber, AirBnB, and Alibaba) all base their business in no small part on brokering trust between third parties. Similarly, the excitement around Blockchain technology is underpinned not merely by speculation on the price of cryptocurrencies, but ultimately by the new markets decentralized trust models can enable.
Not only is trust a cybersecurity superpower, it’s also a driver of growth. In a recent Accenture whitepaper (downloadable ), researchers note that companies who can engender employee trust reap a 12.5% bonus on their growth versus those who cannot – quite a premium.
If trust is key, then the route forward lies not in technical mitigations (we have plenty of good technology for monitoring user interactions, for example), but in a multi-disciplinary approach that helps defenders build trust and not break it. That turns us nicely to our two related concepts: optics and privacy.
When we talk about the optics of Insider Threat programs, the most common mistake is for employees to feel like they are being watched or are inherently distrusted. Neither of these outcomes needs to be the case, but great care must be taken in how human-centric solutions are rolled out. Research shows that employees can be your greatest asset here, but it all depends upon a transparent discussion about the goals of the program and the risks it intends to mitigate. Done properly, the optics can be handled, but only by facing difficult or sensitive issues head on. Transparency is key.
The concept of transparency is also important when dealing with another significant drag on adoption: end-user privacy. While we want transparency about what is collected and how it is used, we don’t want transparency regarding the actual raw data: nobody wants to live in a modern-day panopticon! Thus, governance and technology need to work hand in hand to maintain, or better yet enhance, the privacy of employees. Neither side can do this alone; as a CISO your new best friends are the General Counsel, DPO, and CHRO. If you’re not having regular meetings with these folks, well, you should be.
We’ve looked at some ways we break trust, but what of building it? That, sadly, is much harder. Quoting one of the modern-day philosophers of our time, Lady Gaga, “Trust is like a mirror, you can fix it if it’s broken, but you can still see the crack…”. Thus, the first step is not to break the fragile trust we actually have in place. Alas, the second step of building trust is much harder, and extends well beyond the remit of the CISO: no matter how much the security team embraces best practices, for example, if the employees don’t trust the company’s senior management, there’s no win in sight. No, the approach here needs to be much broader and involves significant effort. There’s a whole fascinating discussion we could have about how you even measure employee/employer trust, but we will have to leave that for another day.
Better yet, cybersecurity isn’t the only winner from such an undertaking. Unfortunately, the CISO and her team can only influence these aspects of organizational climate, not control them. That larger project once again underscores how the CISO’s sphere of influence must not just be in the technical world, but across the entire enterprise. While holism is always nice in principle, in this case it is a necessity. That means that to be successful, the CISO must build both strong and weak ties across the entire organization: that’s sometimes a stretch for battle-hardened technical experts, but a stretch worth taking on, as the rewards are immense.
Dr. Richard Ford is Forcepoint’s Chief Scientist