Choosing which department should be responsible for protecting an organization from threats from within isn’t always straightforward. Credit: Leo Wolfert/Shutterstock There’s no getting around it, I am long in the tooth and have been dealing with individuals who break trust within their work environment for more than 30 years, both in government (where we called it counterespionage or counterintelligence) and in the private sector.Today we call programs that help prevent or identify breaches of trust insider risk management (IRM). Over the years I have hypothesized that where such IRM programs reside within an organization will have a material impact on its focus and possibly its overall effectiveness.In 2019, a CSO article raised the question “Insider risk management — who’s the boss?” and examined where the buck should stop in terms of taking responsibility for threats from within. Here we are four years later and the predicted growth of the role of an individual with a unique focus on the “insider threat” or “insider risk management” program hasn’t yet settled — it continues to evolve.Effective IRM programs belong in the infosec realmAt a recent Insider Threat Summit, it was nearly unanimously presented that the effective IRM program sits within the information security realm, as that is where all data resides. Joe Payne, CEO of CODE42, with whom I spoke at the end of March, agreed. I posit, if a program resides within the IT/Infosec/CISO arena it will have a technology-forward bent; if it resides in the HR or legal arena it will have a more human bent. From personal experience at having been on the receiving end of a full-blown counterespionage investigation (it was convicted spy Robert Hanssen, not me) I can attest that the investigated individual will want to have the human element present, as data sometimes tells a story that just isn’t the “right” story.Let’s see what others think. In August 2022, I opined that MITRE’s Inside-R Protect program is a necessary component in any IRM solution and that one must look at the behavioral component, and not just the tactics, techniques, and procedures. Some nine months later, I asked Dr. Deanna D. Caputo, chief scientist for insider threat capabilities and a senior principal behavioral psychologist at MITRE Corporation where she thought ownership of the IRM should be located. She offered that “several groups can own the Insider Risk Program — there is no single group inherently more suitable than another, so long as there is strong executive-level leadership facilitating collaboration and coordination.Should everyone own a piece of insider threat management?In a MITRE study of 18 industry organizations, for example, insider risk programs were owned by general counsel or the legal department, human resources, information security, security and/or threat management, or risk management. The choice is still important, though, as it impacts the program’s mission, access, and priorities.If the program is owned by HR/ER or legal, it is more likely to get quicker access to sensitive personnel data. If a program is owned by physical security, it likely places more emphasis on the physical facilities (e.g., building access) as opposed to behavior on networked systems. If a program is owned by information security, there is always more emphasis on cyber components and less focus on individuals who do not engage with cyber systems.Tim Choi, vice president of product at Proofpoint, offered that “regardless of where an insider risk management program resides within an organization, it is crucial that a close-knit collaboration exists between the legal, HR, and information security teams.”Choi says that while the information security team is ultimately responsible for the proactive protection of an organization’s information and IP, most of the actual investigation into an incident is generally handled by the legal and HR teams, which require fact-based evidence supplied by the information security team. “The CIO/CISO team need to be able to supply facts and evidence in a consumable, easy-to-understand fashion and in the right format so their legal and HR counterparts can swiftly and accurately conduct their investigation.”Choi’s explanation is spot-on. The provision of facts and evidence in a consumable and easy-to-understand fashion is key. What about the C-Suite?Water flows downhill and so does messaging on topics that many consider ticklish, such as IRM programs. Payne noted that “few, if any CEOs wish to discuss their threat risk management programs as it projects negativity — i.e., ‘we don’t trust you’ and they prefer to have positive messaging.” Few CISOs enjoy having an IRM program under their remit as “who wants to monitor their colleagues?”Payne adds, “Whacking external threats is easy; when it’s your colleague it becomes more problematic.” He concluded that it makes sense that IRM resides within the CISO’s remit and that an IRM program should have a “leadership team of CISO, chief of HR, and general counsel.”Caputo notes that “over half of the programs reported directly to a member of the C-suite. Reporting directly to the C-suite has the added benefit of greater enterprise visibility and access, which makes it easier to acquire necessary resources and drive program initiatives.”What’s the bottom line on IRM?Choi sums it up nicely: “The bottom line is this: if an organization is going to accuse an employee of stealing data, they need to do so with a high degree of confidence based on facts. And close collaboration and communication between various departments underpin the success of an accurate investigation when time is of the essence.” Thus, no matter where an allegation comes from concerning a colleague, vendor, or partner, having legal “own” the IRM solves a plethora of issues. An insider risk management team reporting to legal can earmark each case as having a sponsor — the entity that is levying the charges (be it finance, HR, IT, security, or whomever). Then the IRM team pulls in resources from the support elements within IT/infosec, security, finance, etc. to acquire the facts and evidence.In this manner, the bias is filtered out and the playbook is consistent in addressing each and every accusation, be it for an individual who has broken trust, violated policy, or otherwise popped up on the radar as worthy of investigation. Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe