Janet Hale is a director at Deloitte Services LP and former undersecretary for management at the Department of Homeland Security. ()
Since its inception, the Department of Homeland Security has invested significant time and resources into detecting and mitigating insider threats, integrating information from a variety of internal sources including the Office of the Chief Human Capital Officer, the Chief Information Security Officer, the CIO, CSO, and Internal Affairs at both the component and headquarters levels.
However, as the workplace becomes more virtual and less compartmentalized, the need for increased organizational focus on insider threat has never been greater, as evidenced in recent incidents like the NSA leaker and Navy Yard shooter. Through its Information Sharing and Safeguarding initiative, DHS is taking a proactive approach in responding to the increased need. DHS has developed an initiative focused on increasing the collation and analysis of IT systems to help identify specific behavioral indicators that may suggest a potential insider threat issue. DHS has also established protocols on how to investigate instances when their models indicate the possibility of an insider threat issue. This initiative is expected to enhance the department’s ability to identify and mitigate threats before they escalate.
The steps taken through the Information Sharing and Safeguarding moves DHS’s insider threat program forward. However, to develop a holistic insider threat initiative, the agency should look to further expand its efforts outside of the technical realm. Because people are the core of the insider threat challenge, DHS should complement its enhanced analytical capabilities by looking for ways to further foster an environment of security awareness and deterrence. For example, training on insider threats can build awareness to the problem and alert employees to the protocols that they should follow should they encounter a suspicious situation.
In a recent publication, “Top 10 considerations for building an insider threat mitigation program,” Deloitte outlined critical considerations to take into account when creating and enhancing an insider threat program. The following list identifies the top ten things an agency leader should consider when developing an insider threat program:
1. Define your insider threats – Develop a specific working definition of the threats faced by your organization and business environment.
2. Define your risk appetite – Define your organization’s critical assets that must be protected, as well as tolerance for loss or damage in those areas.
3. Leverage a broad set of stakeholders – Establish a cross-disciplinary insider threat working group that can serve as change agents and help confirm the proper level of buy-in across departments and stakeholders.
4. Technology, alone won’t solve the problem – Avoid focusing exclusively on a technical solution, as effective programs also promote an environment of security awareness and deterrence.
5. Trust but verify – Implement routine and random auditing of privileged functions.
6. Look for precursors – While moving along the continuum from ideation to action, insiders often display observable behaviors that can serve as potential risk indicators for early detection.
7. Connect the dots – Correlate potential risk indicators captured in virtual and non-virtual arenas to gain insights into trends regarding the high risk behaviors exhibited across the organization.
8. Stay a step ahead – Use a feedback mechanism that includes an analysis of on-going and historical cases and investigations.
9. Set behavioral expectations – Define the behavioral expectations of your workforce through clear and consistently enforced policies.
10. One size does not fit all – Customize the workforce’s training to address the specific insider threat risks, challenges and responsibilities for each position.
DHS has already implemented insider threat-related trainings, but a continuing communication strategy iis essential to help update employees on changing policies, evolving threats and reinforce awareness. A holistic approach looking at the virtual and non-virtual indicators that could signal an insider combined with a strong awareness and reporting process contributes to analytical detection techniques that identify anomalous behavior. In many instances, it is capturing the observations of co-workers who can identify many risk indicators, such as personal problems (e.g., issues with drinking, gambling) or disgruntled feelings, that can be difficult for technical models or leadership to identify. Another important way to help employees through difficult times and remain engaged in the mission of the agency is through an Employee Assistance Program (EAP). The EAP program offers solutions for employees in crisis who may be a potential threat. DHS currently has an EAP, but it will only be effective to the extent that employees who are under stress take advantage of it.
Organizations should develop an ongoing evaluation model to verify that their insider threat programs are effective and are cultivating a security-minded environment. As the workplace continues to evolve and public and regulatory scrutiny increase, DHS should continue to enhance its insider threat program’s strategies. The analytical advances seen in the Information Sharing and Safeguarding initiative are a step forward in the agency’s ability to detect in a virtual space insider incidents before serious damage can be done; however, for the agency to maximize its ability to combat insider threats, it should go beyond high-level policies and analytical models and develop a holistic program that looks at the whole person and the role they play in the organization. It must partner with its employees to collaboratively mitigate insider threat.