InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
Insider threat programs are inherently difficult to build and maintain. Unlike other cybersecurity programs that focus on securing organizations from external threats, insider threat programs pit the organization against one of its own. This requires
a fundamental shift in how cases are investigated, and the remediation actions taken to mitigate or eliminate the insider threat.
Attempting to take the same approach with insider threats as with external adversaries could potentially result in distrust in the security organization, low employee morale, and in some cases, civil liability.
In this piece we detail the roles and responsibilities required for an effective insider threat program, an example of workflow for insider threat investigations and some common mistakes to avoid.
A successful insider threat group incorporates key resources from across the organization. Because an insider threat program requires resources from multiple departments/business units throughout the organization, the charter to create a program usually
comes from the chief risk officer (CRO), or delegate in a similar role.
Some information security organizations attempt to create a program unilaterally. And while information security teams may possess the technical means to deploy an insider threat program, organizations should consider involving HR and the general counsel
in the investigation. (see Figure 1).
Consider assigning an incident handler to coordinate the different portions of the investigation.
In some cybersecurity incidents, the information security team provides the incident handler (this role is also sometimes referred to as "incident commander"). However, insider threat investigations differ in how they are investigated due to the liability
that can emerge, and HR can provide the incident handler to direct investigation activities.
In some organizations, business unit leadership from the impacted division provides the incident handler, but this has the potential to shirt too much focus on protecting the value of the assets compromised by the insider threat, rather than minimizing
the liability of an insider threat investigation. This instance can be avoided or at least minimized when and if HR directing all activities.
The following is an example workflow for an insider threat case:
It is not uncommon for many other steps to occur in the background which are detailed here in this simplified example for illustrative purposes. However, these can involve coordination between the general counsel and HR, or HR and business unit leadership,
and are outside the purview of information security.
Mishaps in implementing insider threat programs can be innumerable, and therefore the following considerations should be taken as general guidance, rather than seen as complete or comprehensive. However, common mistakes made in insider threat programs
Often overlooked, insider threats can be even more dangerous than external threats. However, they must be addressed differently to minimize liability. Without sufficient process and oversight, an insider threat investigation could potentially result an
increase in overall risk to the organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.