NISPOM Conforming Change 2 went into effect in May of 2016, creating requirements across the defense industrial base concerning minimum requirements for assessing and addressing threat risk inside an organization. Five years later, security professionals continue to wonder how to best develop an insider threat program that doesn’t just comply with the standard outlined by the Defense and Counterintelligence Security Agency (DCSA), but that can also protect their companies and organizations. Tom Langer, principal of Atlantic Security Advisors, an industrial security, risk mitigation, and leadership organization and an advisor to SIMS Software shares his insight about insider threat and why it matters across an entire organization or agency.
Langer emphasized that it’s important for organizations to not just look at insider threat as ‘yet another compliance program.’
“You really need a whole of business or mission perspective,” said Langer. He also further clarified the difference between insider threat and insider risk.
Insider threat is capacity + risk = insider threat
- Capacity is what they can do good or bad, to or for your organization. Their intent is what you’re trying to detect.
Insider risk is capacity (identified above) – management/oversight = insider risk
- Management and oversight can be used to reduce the gap between employee capacity and risk.
A key role of an insider threat program is making stakeholders across an organization aware of where the risk is, Langer emphasized. Once organizations are aware of risk, they can ‘transfer, mitigate it, or accept it as-is,’ he noted. Not all risks can be eliminated, but organizations need to know where risks are, and take appropriate steps – often that starts with security professionals.
“Security professionals are the fulcrum in an organization,” said Langer. “We see risk, and we frequently introduce the people taking those risks to the people who own those risks.” Security professionals can help incorporate and influence across the organization. But because the security risk isn’t siloed, neither should the responsibility be.
“Take any risk program you have and bring everyone together into one organization and one working team,” said Langer.
Remote Work Risks
With hybrid work the new norm across organizations, today there are new questions about how to educate and engage a workforce – who may be both geographically and socially dispersed.
“How do we integrate the new people we’re bringing into an organization without bringing them into some social environment where they begin to know their coworkers and their coworkers know them,” said Langer, who noted that traditionally tips about insider threat risks often came thanks to the social connection within workforces. Without a social fabric cleared professionals are tied to, it’s more difficult to identify the social outliers – those who are untied to company norms, and more willing to risk company information. While some aspects of the paradigm are new however, the contract workforce has already had to deal with this in some capacity.
“A lot of contractor companies already have this dispersed workforce,” said Langer. He noted across those organizations program managers become key to your insider threat program – they are the closest touchpoint for many dispersed workers.
4 Tips to Address Insider Threats
Companies aren’t without resources to help them address insider threats, and a few simple steps can go a long way. Langer offered these four takeaways:
1. Approachable security
Security has to be approachable and react professionally – responding with a high degree of confidentiality and discretion to any reported issues.
2. Training and transparency
Educating employees on what is expected of them – and what level of privacy and monitoring they should expect. Employees should be trusted, but also have verification procedures in place.
3. Team approach
Multiple disciplines must be involved – HR, IT, communications – and security.
4. Security Management Software
Today, there are tools and resources available to help record, assess, and address issues. Security management software ensures the entire company has access to a suit of tools to help it address insider threat or employee issues, and that those processes extend beyond a single individual or office.
It’s not if an insider threat issue will affect your company, it’s when. Taking a whole of company approach helps ensure issues are addressed in advance.
