Insider threat can take many forms, from the unwitting perpetrator to the disgruntled employee. Because the face of these threats is constantly changing and indicators often appear across many different departments, sharing information within a cross-functional group is absolutely essential in effectively combating insider threat.
It's easy to say that Edward Snowden could have been stopped if he had been better vetted by HR, and this may have been true; but it would be irresponsible to neglect to mention the shortcomings of the IT department in monitoring contractors and employees with access to classified information. Creating a cross-functional group with a solid framework for communication can help ensure that any and all concerns are flagged and addressed before it’s too late.
In order to build a rock-solid insider threat program, consider creating a working group comprised of (at minimum) the following members:
Executive Chair: If your company is required to comply with NISPOM Conforming Change 2, the leader of this working group should be your designated Insider Threat Senior Program Official (ITSPO) -- who may also serve as your Facilities Security Officer (FSO). For other companies, this could be the founder of your business, the COO, or the CSO; so long as they are able to clearly identify the purpose and goals of the group and create an environment conducive to dialogue.
Human Resources Leadership: Many HR leaders develop a "sixth sense" for indicators that may identify an employee that presents a threat risk - within the insider threat program, they must strive to codify these indicators and figure out a way to document and monitor them. Their duties go far beyond the hiring process, and encompass everything from performance evaluations to reports of harassment or unfair treatment in the workplace. When combined with intel from other departments, this information can help paint a clearer picture when determining whether or not an employee constitutes a potential threat.
IT/Network Security Leadership: The IT department will be heavily involved in the execution of a comprehensive insider threat program, monitoring who has access to what, and when. This representative would be responsible for collecting data to establish baselines for "normal" network behavior, as well as setting thresholds that would trigger a notification of possible misuse and relaying information about potential violations to the appropriate people. For example, the nature of your work might mean that simply visiting a third party website or putting information on a thumb drive could constitute a potential threat to informational security; the IT representative will be able to help determine if this technology and processes are within the bounds of acceptable use or should be investigated further.
Legal Advisor: Involving legal counsel in your insider threat working group is absolutely essential and non-negotiable. Because much of mitigating insider threat depends on the ability to collect information, you must be absolutely sure that sensitive information is captured in a way that does not infringe on civil liberties, will be kept confidential and used appropriately. Your legal representative should also wear the "ethics hat" when determining workplace standards, such as when/if the company will monitor social media accounts or use information collected about the employee outside of working hours to take adverse action.
Ample communication is key within an insider threat working group; it is up to the Chair to establish a safe environment for each member to raise issues without fear of dismissal or recrimination. Open dialogue should be encouraged, and it may help to continually remind the group of their purpose: to share and integrate information for the common goal of protecting your company from potentially catastrophic threat. Each member should feel comfortable sharing information with the other chairs in the event of a potential threat, and processes should be put in place for assessing and acting on any insider threat-related matters.
Topics from this blog: insider threat