InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Insider threat programs are inherently difficult to build and maintain. Unlike other cybersecurity programs that focus on securing organizations from external threats, insider threat programs pit the organization against one of its own. This requires
a fundamental shift in how cases are investigated, and the remediation actions taken to mitigate or eliminate the insider threat.
Attempting to take the same approach with insider threats as with external adversaries could potentially result in distrust in the security organization, low employee morale, and in some cases, civil liability.
In this piece we detail the roles and responsibilities required for an effective insider threat program, an example of workflow for insider threat investigations and some common mistakes to avoid.
A successful insider threat group incorporates key resources from across the organization. Because an insider threat program requires resources from multiple departments/business units throughout the organization, the charter to create a program usually
comes from the chief risk officer (CRO), or delegate in a similar role.
Some information security organizations attempt to create a program unilaterally. And while information security teams may possess the technical means to deploy an insider threat program, organizations should consider involving HR and the general counsel
in the investigation. (see Figure 1).
Consider assigning an incident handler to coordinate the different portions of the investigation.
In some cybersecurity incidents, the information security team provides the incident handler (this role is also sometimes referred to as "incident commander"). However, insider threat investigations differ in how they are investigated due to the liability
that can emerge, and HR can provide the incident handler to direct investigation activities.
In some organizations, business unit leadership from the impacted division provides the incident handler, but this has the potential to shirt too much focus on protecting the value of the assets compromised by the insider threat, rather than minimizing
the liability of an insider threat investigation. This instance can be avoided or at least minimized when and if HR directing all activities.
The following is an example workflow for an insider threat case:
It is not uncommon for many other steps to occur in the background which are detailed here in this simplified example for illustrative purposes. However, these can involve coordination between the general counsel and HR, or HR and business unit leadership,
and are outside the purview of information security.
Mishaps in implementing insider threat programs can be innumerable, and therefore the following considerations should be taken as general guidance, rather than seen as complete or comprehensive. However, common mistakes made in insider threat programs
Often overlooked, insider threats can be even more dangerous than external threats. However, they must be addressed differently to minimize liability. Without sufficient process and oversight, an insider threat investigation could potentially result an
increase in overall risk to the organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.