Think of Insider Threat Management Programs (ITMPs) as a holistic focus on managing the risks that insiders pose to your corporate assets. It starts with a strong foundation: a unified mission that breaks down the traditional silos between “security” (personnel-focused) and “InfoSec” (network-focused IT). Successful ITMPs are truly cross-functional and should involve not just your security and IT departments, but also legal, HR, line of business leaders, and executives.
A successful ITMP requires all of these departments to work together towards a common goal of decreasing organizational risk. It means having the ability to communicate clearly across technical and non-technical teams regarding what insiders are doing with corporate resources. And it calls for a clear strategy to prevent and mitigate insider threats. ITMPs must include people, process, and technology—all working in close harmony.
People: The heart of the program
Threat personnel must have a solid understanding of cybersecurity, insider risk assessment and profiling, and security and privacy control architecture. Some organizations have all of this in-house, but most can benefit from outside consultants with expertise in forensics, legal issues, risk assessment, privacy, and compliance.
Solidify support for an ITMP by designating a champion. This cybersecurity advocate should help ensure that the organization prioritizes developing and operating the program — and the resources needed to do both.
The company will also need a steering committee with representation that extends beyond the traditional cybersecurity group. Include human resources, physical security, and legal counsel. In addition, the larger working group should consist of active legal counsel and privacy officers. This helps ensure the company has the right level of legal review and guidance for every stage in the process.
Process: Program governance, management, and structure
Insider threats are a complex problem, and a complete organizational defense capability may take years to develop. But any company can get immediate value by implementing an initial operating capability (IOC), legally supported with documented policies and procedures.
An effective IOC includes three broad categories. First, programmatic tasks are essential to running a program. Second, some organizations should also consider added layers of threat management to address issues that arise from a dispersed structure. Finally, a regular periodic review post-incident and integration of lessons learned can help improve the program over time.
Organizations that are hierarchical or regionally dispersed are at greater risk of having gaps in coverage. Moreover, remote work has grown more common, driving the need for cybersecurity teams to revisit foundational risk assessment inputs and adjust strategy and program to address the evolving threats landscape.
Technology: Working smarter and increasing efficiency
Driving and building an effective ITMP relies on using a people-centric security model. Focus on user activity. It's all about how users interact with sensitive corporate data and assets rather than on monitoring technology or network perimeter, which no longer exists for most organizations.
People-centric security means having complete visibility and context into how insiders are interacting with corporate data and assets. Legal and compliance concerns inevitably arise when attempting to implement an ITMP or solution. An ITMP requires the company to increase oversight of its insider activity. But what about privacy? The program must comply with relevant laws, respect corporate culture, and stay fully transparent across the organization.
Consider a purpose-built insider threat management platform. These tools look inward, not outward, as do many security tools on the market today. Insider threat management tools can complement one or more of the legacy tools. In some cases, a dedicated ITM platform can support a standalone approach to detecting and mitigating insider threats.
Taking a people-centric approach to ITM starts with context-based user risk management. Environment and circumstance will help the team discern a user's intent, an essential component to prevent and investigate insider incidents.
Context-based user risk management includes three key elements:
- User risk profiling: Identify and manage users based on their risk profile to increase efficiency and support data minimization and monitoring proportionality requirements.
- Cross-Channel visibility: Establish a unified view of how users interact with data on endpoints, cloud apps, social media, file-sharing services, and email.
- Activity timelines: Build an intuitive visualization of user activity over time to understand the critical context around security alerts to make better-informed and actionable decisions.
Building an ITMP requires a collaborative journey. The expanding work-from-anywhere model and increased reliance on virtual collaboration compel us to look at our policies, controls, and employee monitoring practices. Use this as an opportunity to understand and mitigate risks.
Deborah Watson, Resident CISO, Proofpoint
