Insider risk management: Where your program resides shapes its focus

There’s no getting around it, I am long in the tooth and have been dealing with individuals who break trust within their work environment for more than 30 years, both in government (where we called it counterespionage or counterintelligence) and in the private sector.

Today we call programs that help prevent or identify breaches of trust insider risk management (IRM). Over the years I have hypothesized that where such IRM programs reside within an organization will have a material impact on its focus and possibly its overall effectiveness.

In 2019, a CSO article raised the question “Insider risk management — who’s the boss?” and examined where the buck should stop in terms of taking responsibility for threats from within. Here we are four years later and the predicted growth of the role of an individual with a unique focus on the “insider threat” or “insider risk management” program hasn’t yet settled — it continues to evolve.

Effective IRM programs belong in the infosec realm

At a recent Insider Threat Summit, it was nearly unanimously presented that the effective IRM program sits within the information security realm, as that is where all data resides. Joe Payne, CEO of CODE42, with whom I spoke at the end of March, agreed. I posit, if a program resides within the IT/Infosec/CISO arena it will have a technology-forward bent; if it resides in the HR or legal arena it will have a more human bent.

From personal experience at having been on the receiving end of a full-blown counterespionage investigation (it was convicted spy Robert Hanssen, not me) I can attest that the investigated individual will want to have the human element present, as data sometimes tells a story that just isn’t the “right” story.

Let’s see what others think.

In August 2022, I opined that MITRE’s Inside-R Protect program is a necessary component in any IRM solution and that one must look at the behavioral component, and not just the tactics, techniques, and procedures.  Some nine months later, I asked Dr. Deanna D. Caputo, chief scientist for insider threat capabilities and a senior principal behavioral psychologist at MITRE Corporation where she thought ownership of the IRM should be located. She offered that “several groups can own the Insider Risk Program — there is no single group inherently more suitable than another, so long as there is strong executive-level leadership facilitating collaboration and coordination.

Should everyone own a piece of insider threat management?

In a MITRE study of 18 industry organizations, for example, insider risk programs were owned by general counsel or the legal department, human resources, information security, security and/or threat management, or risk management. The choice is still important, though, as it impacts the program’s mission, access, and priorities.

If the program is owned by HR/ER or legal, it is more likely to get quicker access to sensitive personnel data. If a program is owned by physical security, it likely places more emphasis on the physical facilities (e.g., building access) as opposed to behavior on networked systems. If a program is owned by information security, there is always more emphasis on cyber components and less focus on individuals who do not engage with cyber systems.

Tim Choi, vice president of product at Proofpoint, offered that “regardless of where an insider risk management program resides within an organization, it is crucial that a close-knit collaboration exists between the legal, HR, and information security teams.”

Choi says that while the information security team is ultimately responsible for the proactive protection of an organization’s information and IP, most of the actual investigation into an incident is generally handled by the legal and HR teams, which require fact-based evidence supplied by the information security team. “The CIO/CISO team need to be able to supply facts and evidence in a consumable, easy-to-understand fashion and in the right format so their legal and HR counterparts can swiftly and accurately conduct their investigation.”

Choi’s explanation is spot-on. The provision of facts and evidence in a consumable and easy-to-understand fashion is key.

What about the C-Suite?

Water flows downhill and so does messaging on topics that many consider ticklish, such as IRM programs. Payne noted that “few, if any CEOs wish to discuss their threat risk management programs as it projects negativity — i.e., ‘we don’t trust you’ and they prefer to have positive messaging.” Few CISOs enjoy having an IRM program under their remit as “who wants to monitor their colleagues?”

Payne adds, “Whacking external threats is easy; when it’s your colleague it becomes more problematic.” He concluded that it makes sense that IRM resides within the CISO’s remit and that an IRM program should have a “leadership team of CISO, chief of HR, and general counsel.”

Caputo notes that “over half of the programs reported directly to a member of the C-suite. Reporting directly to the C-suite has the added benefit of greater enterprise visibility and access, which makes it easier to acquire necessary resources and drive program initiatives.”

What’s the bottom line on IRM?

Choi sums it up nicely: “The bottom line is this: if an organization is going to accuse an employee of stealing data, they need to do so with a high degree of confidence based on facts. And close collaboration and communication between various departments underpin the success of an accurate investigation when time is of the essence.”

Thus, no matter where an allegation comes from concerning a colleague, vendor, or partner, having legal “own” the IRM solves a plethora of issues. An insider risk management team reporting to legal can earmark each case as having a sponsor — the entity that is levying the charges (be it finance, HR, IT, security, or whomever). Then the IRM team pulls in resources from the support elements within IT/infosec, security, finance, etc. to acquire the facts and evidence.

In this manner, the bias is filtered out and the playbook is consistent in addressing each and every accusation, be it for an individual who has broken trust, violated policy, or otherwise popped up on the radar as worthy of investigation.