For many leaders of government agencies, measuring the success of their insider threat program is a difficult task. After all, insider threat incidents are counterfactual – if you don’t have any incidents, does that mean your threat assessments are accurate? Or, are you just lucky that no internal security threats have occurred?
At first glance, the success of your insider threat program seems too complex to measure. However, a hypothesis-based approach to your insider threat detection helps you isolate root causes of insider threats and directly address those causes with precise improvements.
Despite the complexity of measuring progress, after every major insider threat incident, post-incident reports cite numerous process and system breakdowns that allowed the incident to happen. These reports consistently point out similar system breakdowns and areas for improvement.
In some cases, once agencies address these organizational security gaps, another insider incident occurs. As a result, many agencies may abandon their performance measurement process, assuming incorrectly that they what they are doing is not working. This may result in even greater risk to the organization from insider threats.
To counter this self-defeating cycle, keep these four principles in mind when managing your insider threat program:
Principle 1: Manage Your Metrics
A common performance measurement mantra states that “You can’t manage what you don’t measure,” but a better mantra is, “You need to manage what you measure.” All too often, an agency invests an incredible amount of effort into identifying good metrics and collecting the data to measure performance, only to continue work, as usual the next day and ignore the results of those metrics.
The most common fallout from this situation is a breakdown between what the metrics suggest you do and what is actually executed. Why does this breakdown occur? That brings us to the second principle …
Principle 2: Make Accountability Objective
After an insider threat incident occurs, internal staff members often resort to blaming one another. While the incident may have been due to only one person’s irresponsibility, the blame likely lays in a number of smaller errors, such as someone not reporting odd behaviors, someone else forgetting to share information with the right people or other similar circumstances. In this sense, the accountability for the problem should be de-personalized, allowing for an objective accounting of everyone’s mistakes.
By assigning responsibility to a specific person for improvements – and by not affixing blame only to that person – you improve your chances of closing a gap in your organizational security and preventing another insider threat incident.
Principle 3: Aim For Incremental Improvements
Within the Department of Defense and other government agencies, project managers often mix their “current state” reports with their “future vision” for the project at hand. The reason for this: Focusing on future benefits often wins the approval of senior leadership, and, therefore, the budget to accomplish the project.
However, due to shifts in national insider threat policy or legal issues, the project often fails or is delayed until it is no longer relevant. In the case of an internal security threat, the very projects designed to detect the insider threat are delayed until an incident actually occurs. By then, it’s often too late.
A better approach is to focus on closing small organizational security gaps. For example, a single information-sharing policy might be in need of an update to ensure a continued flow of information between one entity and another. While this improvement is not terribly exciting, it is easily accomplishable as long as it isn’t attached to a larger initiative. By focusing on incremental improvements, you ensure that security threats and vulnerabilities are consistently being closed.
Principle 4: Remember The Larger Scope
Within the government sector, many insider threat programs have started, stopped, transformed, restarted or been put in hibernation mode.
By waiting, you’re ensuring that nothing gets done – possibly pushing your agency closer to an insider threat incident. Instead, start with small incremental improvements (see Principle 3 above) while you keep the larger scope in mind. It’s much more difficult to accomplish a single, sweeping change to your insider threat program than it is to make many single changes.
As big-picture projects, frameworks or policies shift, start shifting your incremental projects and metrics to meet those new objectives. Soon enough, your agency accomplishes what the larger policy or framework originally had in mind.
While these four principles apply most specifically to agencies of the federal government, any organization or commercial business should put them into practice. By keeping these principles in mind for your insider threat program, you continue to close gaps in internal security and safeguard your organization from the harm of an internal security threat.
Navigating the world of insider threat is an intimidating task, even for the most seasoned agency officials.