National Insider Threat Awareness Month just came to a close. Whether it’s malicious or intentional, those with access to your networks pose the greatest risk. A number of informational campaigns last month focused on bystander engagement – taking the elements of ‘if you see something, say something’ and applying them to identifying red flags in the workplace. Fortunately today we don’t just have to rely on the human element of identifying risk, but also have technological solutions that can help.
ClearanceJobs chats with Andrew Razumovsky, principal at CANDA Solutions, a security, risk management, and agile methodology company. Their Fresh Haystack solution creates integrated risk management. Andrew discusses the changing technology involved in addressing insider risk and why it’s both a human and technology-centric problem. He also discusses the fallacy of assuming the government will address your insider threats for you.
Lindy Kyzer (00:29):
Hi, this is Lindy Kyzer with ClearanceJobs.com and welcome to this episode, it’s National Insider Threat Awareness Month. And if you’re not familiar with what National Insider Threat Awareness Month is, it is a month dedicated to providing news and information about insider risk and the insider threat launch in 2019. We see a lot of initiatives and updates and content coming out today I am very thrilled to be talking with Andrew Razumovsky. He is the principal at CANDA Solutions. CANDA has a lot of innovative tools and resources to work across the personnel vetting and risk management process. Fresh haystack one of those solutions. He’s here to talk a little bit about insider threat, insider risk, and the role that CANDA Solutions can play in helping your organization or agency with that. So thank you so much, Andrew for being here with us today.
Andrew Razumovsky (01:23):
Thank you for having me. Always pleasure to chat with you, Lindy.
Lindy Kyzer (01:26):
You’ve been around this space for a while and it’s great to have these relationships that come up in folks who are really committed to working in this space, and it’s been great to see CANDA Solutions’ Fresh Haystack involved in this process. So what is kind your role in this whole big issue of insider threat? Insider risk?
Andrew Razumovsky (01:43):
Sure. We actually, like everything in life, started working on a risk and threat assessment in 2005, post September 11th. As you know, DHS was formed and we started in the personnel security domain, but as we grew Fresh Haystack, as you kindly mentioned, we understood that the personnel security domain certainly has connections to human resource systems, to investigations, to continuous vetting today. And we kind of expanded this platform to cover multiple areas and that’s what really Fresh Haystack does. It’s a case management platform and we understood that building ERP or customizing big ERP systems for the federal government certainly is a good services business, but the reality is there were very few homegrown or customized systems. So, we built our own with a simple motto to build a focused risk, specifically case management, and the idea is really that our motto is to make risk management easy.
Lindy Kyzer (02:56):
Fantastic. So you mentioned a lot of what’s going on in the landscape here. Do you think that most companies or agencies realize the importance of this employee vetting and continuous monitoring mission?
Andrew Razumovsky (03:08):
Sure. Most companies which are close to national security like the Defense Industrial Base, obviously as government organizations do probably understand that. And again, cases from Snowden to Nidal Hasan, and others, I think there is a public awareness, certainly bigger than it was probably 10 years ago. But some of the reasons in context which probably drive this understanding would be something like regulatory compliance for example. Many industries or highly regulated industries mandate through background checks or continuous vetting. Many financial institutions used to do that and background checks for cashiers, et cetera. So there are definitely some industries which are more familiar than others. Obviously data breaches and cybersecurity certainly is a huge area which many organizations today pay attention to with the rise of cyber attacks and high profile data breaches.
(04:18):
But also insiders could certainly pose a threat for organizations, and how important it is to protect crown jewels of or intellectual property for anybody really, not even in the Defense Industrial Base. But then reputation management certainly is a consideration for many organizations. Nobody wants to be on the first page of Washington Post. Companies are increasingly aware of how employee actions both past and present can reflect on how organizations look in the public domain. Then certainly the evolution in vetting technology. I mean 10 years ago – I know you’ve been around this space for a long time – was really the first time when we heard continuous vetting – this was a pretty foreign concept. But today it’s certainly in sectors like defense, government and critical infrastructure. Everybody understands how crucial it’s right and certainly some Defense Industrial Base organizations thinking that certainly it’s probably more on government rather on them. But again, they’re different views of this and I would say public expectations as well are a little bit different kind of people expect that many large and government, large corporations and government organizations will recognize and invest in employee vetting. And obviously for small and medium, medium-sized business organizations, which are always kind of close to my heart because we’re a small business, certainly it’s probably tougher to accomplish this since their resources are not as big as for big defense industrial based contractors. So the depth and frequency of vetting and monitoring also definitely varies based on the industry, region, or compliance requirements and specific company policies.
Lindy Kyzer (06:12):
You almost called me old Andrew, I’m going to let it slide this time, but I have been around a while and seen this and I think that
Andrew Razumovsky (06:18):
I just said in this space, Lindy, we’re good.
Lindy Kyzer (06:21):
I appreciate that because I think there is something about building on the knowledge that you have over time and seeing how these risks are not necessarily something new, but there are a lot of new solutions to address them. I do love a nice origin story, and you kind of already mentioned this in the response to my first question, but I did want to talk a little bit about how did you get involved in this personnel security/vetting mission and what’s kind of prompted you to create some of the solutions that you have.
Andrew Razumovsky (06:48):
Sure. So first, yeah, absolutely. I mean first we did for a few government agencies, we got involved in personnel security solutions and we built it – the first solution we ever built was on Oracle E-Business suite, which is like a huge ERP system. And again, the problem with using these solutions, which are not specific for this domain is that it takes you two, three years to actually build something, right? And by the time you are actually done, probably the requirements are out of date, so you need to rebuild it. And again, the idea was that hey, as a services business, this is probably interesting and good, but we’ve got to come up with something which is specifically risk-focused. And that’s what we did. It took us about two, three years to build Fresh Haystack.
(07:37):
And we understood that from the personnel security domain, it’s crucial to have an automated and integrated solution where possible. So, we built basically industry benchmark workflows. Now pretty much for any government agency, if you are a defense industrial base contractor, we automate the whole process of onboarding cleared candidates and we know how crucial and timely that could be for any organization and really cutting significant onboarding time, sometimes up to two thirds of the onboarding cycle, which is huge for defense contractors. So that was kind of the first thing we understood that, again, as you onboarded someone back to continuous vetting and insider threat, you definitely want to monitor that, whoever that person is. So we added inside threat solutions. We added our own AI – risk integration and decision engine, which allows us to integrate multiple data sources, internal and external cyber physical security, and have full holistic risk view of that particular individual. It depends on the position sensitivity, et cetera. And then we kind of expanded that – and if we found something, what else might be needed in the same platform? And one of the things which was huge in our opinion was bringing data together, but also allowing to investigate potentially that case and have a full trail of what happened, where we learned information, and what actions we took, et cetera. So this is in a nutshell, short overview of Fresh Haystack.
Lindy Kyzer (09:17):
Amazing, and I love that you have that holistic approach. I think that’s something that we’ve talked about before that you’ve written about that integrated risk management, which is really key. So looking at threats from both inside and outside of the organization. Did you want to speak to that a little bit more?
Andrew Razumovsky (09:33):
Sure. Integrated risk management certainly in our opinion is the key. And one thing I think is interesting and pretty cool, I’ll brag a little that Gartner, who looks at global solutions in multiple kinds of IT technology actually mentioned us in their market guide in 2022. And insider risk, and part of the things they liked was this view that we look at the various sections – we look at the personnel security, we look at the data outside using data source providers like LexisNexis or Thomson Reuters or many others, which I’m sure our audience knows exist on the market. And in order to understand which insider threats are really real, how we can understand the full landscape which is crucial to response to insider threat. Not every case, obviously is an insider threat, but improving response time with a holistic risk view gives organizations a capability to more quickly identify the source or bridge or threat.
(10:40):
Because I’m always joke about this, it could be a [] on Saturday morning doing something at 6:00 AM downloading terabytes of data, is it really an insider threat action or it’s a production database or production migration, which is happening over the weekend. So you’ve got to look at it in the context and the more context you have the better understanding of that individual you’re going to get. And then I think another kind of critical and important thing is kind of obviously ethical and privacy consideration, legal compliance reasons, all of that should be included and the idea to have this data kind of in one platform, obviously with a certain access control lists, it allows us to involve every part of our organization or enterprise risk group to make the correct decision.
Lindy Kyzer (12:20):
I love that you can always tell on these calls when you’re talking to somebody who’s highly technical. So let’s just hope Andrew doesn’t realize how completely untechnical I am. But that does tie to my next question. Sometimes you see these insider threat topics put into boxes where it’s like a personnel solution. It’s like every time we have a big breach, somebody wants to find somebody to blame and they often want to blame the personnel vetting process. Some background investigator did the wrong job, or hey, it’s the technology, the technology solution sufficient. Why when it comes to insider threat, is it a both and problem? How do we address that?
Andrew Razumovsky (12:53):
Nobody becomes the insider before that person was hired, so certainly they went through the personnel solution. Now many organizations not necessarily treat them as connected, and I think for the life of our employee life cycle, you have to, in my opinion, connect these data sources and always kind of communicate. Now, not all technology solutions certainly cannot accomplish that, but for example, we always knew that HR data during hiring background check and all other things, knowing about that individual paint critical picture. So personnel solutions have certain elements like training and awareness, psychological analysis, clearance and access potentially what are the whistleblower policies? Technological solutions, people don’t look typically in insider threat models. Some people look at the cyber data, what’s happening online, but almost very few organizations except government CV programs really look at what’s happening outside of the organization, which is critical. Everybody has data loss prevention, software access control, but unless you bring all of this data in the context, you really are not going to see a full picture back to holistic kind of risk and why it’s a both and the problem human factors are complex.
(14:35):
While technology can detect some unusual behavior, understanding why something happened or what is behind this action often is needed. And in order to understand that you need human-centric approach. This is where personnel solutions like training and psychological analysis come into play and there are limitations of technology, although as you said, I’m bringing up a lot of technology terms, but at the same time I understand that technology is not going to solve it all right? It certainly can help and minimize the risk, but it’s not a silver bullet. We got to obviously look at the evolution of threats as technological defenses evolve. So are the tactics of the malicious sectors and again, a multifaceted approach allows for more agility in response to new and evolving threats, which are always happening. And then back to holistic understanding. To me, this is the key personnel solutions offers insights into motivations and potential triggers for insider strengths. In order to address it, you need an energetic approach. You need to bring both solutions together and only leveraging strengths of both.
Lindy Kyzer (15:52):
Awesome. Yeah, I love that. And I think a lot of the things you’ve talked about are certainly super interesting, super relevant, can do a lot to improve this onboarding process for candidates, which I love. One of the things that we’ve talked about before is kind of this idea of ‘clearability’ and almost how you can get a decent idea just on publicly available information about what some of the risk factors a person has coming on board with the system, what their chances of getting a clearance are. But I find it kind of interesting, we’re all super accustomed to the idea of a credit score and are used to that being used to cross a variety of financial decisions. When you talk to somebody about a security clearance scoring or their ability to get vetted through that process, it can kind of seem a little bit minority report like, Hey, is this as an employer, do I want to do kind of that employment? What would that look like as a candidate? Do I want to sign off on this? Can you speak to that a little bit and some of the thought process around that?
Andrew Razumovsky (16:46):
Sure, absolutely. We use actually a simpler version, again, that kind of green, yellow, red, to look more from predicted analytics standpoint, how long it’s going to take you to onboard that candidate. So certainly a little bit different view than credit score, but if we go back to scoring and rescore or risk determination or a trust determination, you can look at this in multiple ways. I think the concept of credit score certainly is widely accepted because it’s measured based on the kind of concrete financial behaviors and actions, which is debt levels, payment history, credit inquiries, financial institutions been using these for to just really assess the risk of lending money or providing credit to individuals. On the other hand, that personnel vetting or security score might seem a little big sky as you said, but I think the reality is you’ve got to look at the predictive nature based on the previous information or predicting crimes before they occur. Security score is to predict one’s potential for malicious activity would probably appear to make some assumptions about future action based on the past or present data.
(18:06):
So obviously there are huge privacy concern around the collection of information. You obviously need the consent of the individual, or in this case employee. If it’s employee, then there is potential for misjudgment, right? Kind of who is watching the watchers, right? So as let’s say, inside threats is looking at human behaviors and intentions are complex, so you can’t really, without the most precision and understanding, always there is a potential to misjudge and oversimplifying intent. That certainly could happen as well. That’s why some interesting technologies like machine learning, et cetera, which we also are using to analyze potential data, which we receive helps us to learn and not make the same mistake twice, which is not always necessarily case with the person. And then there is also a stigmatization issue, right? The potential for stigmatizing an individual based on low security score, right? Again, I think certainly it’s a measurement, but you have to be careful how accurate and fair that measurement is. And constantly keeping track and improving whatever it is – technology, people,training. So, certainly credit score offers relatively straightforward measure of financial risk, but I think a security and risk score where metrics are very well defined, clear and understandable, how that score is achieved, certainly could help to understand the risk of that individual. But obviously I would certainly add that ethical and privacy considerations have to be considered.
Lindy Kyzer (19:46):
I love that you brought up a lot of important pieces there of saying we have so much that we can do with data with the technology that we have, but we also have key accountability constraints around it, and that’s all you need the process, but you need the people around it to help kind of set the parameters to be involved to look into these things.
Andrew Razumovsky (20:08):
Lindy, always pleasure talking with you, and I hope if anyone who wants to reach out and get more information, we will always happy to respond, andrew@candaesolutions.com.
