A reality check for security leaders on insider risk

“I trust the people in my company. I still monitor everyone.”

That statement came during the MISTI CISO Leadership Summit I lead on Sunday at InfoSecWorld. One of the security leaders made that comment during our session on trust. It got a lot of nods and even more discussion. 

Just the week prior, I talked with Mike Tierney (LinkedIn, @mikejtierney) the COO of Veriato Inc. about the reality of insider threat and our need to engage others in the process. As COO, Mike is ultimately responsible for organizational security.  His insight on insider risk is forged by experience and his success implementing processes across the organization.

During our conversation, he talked about the leadership approach of engaging others in the process – before we have problems. He shared some things I hadn’t seen implemented before. Approaches that made sense.

Here are five questions with Mike Tierney:

How often are leaders skeptical about the real dangers of insider risk?  

It really depends on the size of the organization. In smaller organizations—maybe less than 100 people or so—it’s quite common to hear “we know our people, we can trust them.” I like to ask the folks who are invested in trust as a security strategy a question:  “Are all of your personnel files stored in a cardboard box in an unlocked room with a note on it that says “please only look at your own file?” If not, then why not?  If you can trust your people, why would you bother to secure anything?

In larger organizations, there tends to be more specialized roles, so the folks charged with security are more apt to accept that the insider threat is real. Their challenge is convincing the executive suite to spend time and money on a problem that doesn’t always show as a problem because they aren’t specifically looking for it. It’s a chicken and egg thing—if you aren’t looking for insider threats, of course you don’t see them. Preventing insider risk from becoming insider attacks takes a combination of people, process and technology. I know because I have been in organizations that have suffered from insider attacks. And when we looked back at how it happened, we learned there were many warning signs we simply missed.   

You suggest security leaders start by engaging HR before the hiring process. Why?

For one thing, by engaging HR before the hiring process, you eliminate the person from the equation.  Every position in an organization poses some level of risk. If security works with HR early—when the job description and requirements are being defined—then HR can better focus the appropriate amount of diligence in the hiring process. What sort of background check will be used? The quick, standard or a more in depth one? How many references? Do we need a backdoor reference? Who needs to be involved in the interview process? Coming together for this purpose also gets security and HR collaborating, partnering, which is something that needs to be happening a whole lot more often.  

The real opportunity is to build a strong partnership with HR. How does this benefit security leaders? Any insights on how to make this work?

Security teams are not typically privy to a lot of information that would trigger alarms in their minds, if only they were in the know. There are many known precursors to insider threat. Disgruntled employees are a constant source of risk. HR knows about so many triggers of unhappiness: Bad reviews, passed over from a promotion, put on a performance plan, unhappy with their manager. Negative workplace events that security is not looped in on. Outside factors like wage garnishments and 401k hardship withdrawals can indicate financial pressures. HR sees these things. Has security communicated to HR that this type of information has security value? And does HR have a way to communicate this information to security to protect the company while also preserving and protecting employee privacy? A smart and informed security leader can connect these dots, unlock that value, and be in a position to prevent a damaging attack.  

The strategy can be as simple as a 10-point scale. If the company takes the time to define the risk associated with the position, it can be as easy as “Hey, you know we hired Joe into a level 6 risk position. Please act as if it is a level 10 risk position until we have verified that the things prompting this call are not causing any security problems.”

Working with HR makes sense. How do we quantify the risk and apply the appropriate methods?

This is actually an area where I have seen the federal government out in front. There are at least some areas where agencies are applying a risk score to a position based on the responsibilities of that position. In the commercial world, a good starting point for risk scoring positions is to examine the amount of access to sensitive information or systems the position requires to perform its function.  I’m a pretty simple guy: if the information is such that having it made public, or in the hands of a competitor, gives you pause, you should consider it sensitive. Don’t let perfection be the enemy of the good here—come up with a workable, easy-to-implement scoring system for each position in your organization. Let that risk score inform HR on how to screen candidates, and serve as the basis of communication going forward. You can evolve and improve the system as you learn. Act, then improve. Dealing with insider risk can be uncomfortable. People tend to complicate things they don’t want to do. Don’t let that happen.  

Where does a security leader get started?

I hate meetings. That said, my advice here is “call a meeting.” Get the Security, HR and Legal leadership together. Don’t forget Legal! Explain the damage an insider breach or theft could cause. Ask for their help. Explain to them the value they bring in protecting the company. Ask for their guidance on how you can best work together. This first step will lead to the formation of a team. This team in the extension of your incident response team that will need to engage should an insider incident occur. But now you have the team working more proactively to prevent insider attacks. This is obviously a better place to be. Once you have your team in place, you can begin to implement the processes, and if need be, invest in the technology to mitigate insider risk.