Over the past few months, I've written a lot about insider threats here. The term "insider threat" denotes someone who has access within an organization, while at the same time connotes a person who potentially causes harm to that organization. There are varying definitions for insider threats across government and commercial entities; however, for the purposes of our discussion, someone "inside" an organization who causes harm will be called an insider threat.
A people problem
The real significance of the term "insider threat" to me is that we are talking about people and their actions. Insider threats are a people problem much more than a technology problem. No matter what vehicle is used to deliberately or unintentionally cause harm, a person is behind the activity. Too often, we forget this simple concept in how we execute counter-insider threat programs.
Establishing policies, implementing processes and selecting appropriate technology all play a part in the overall defense against insider threats. Without advocacy, authority and agility, no counter-insider threat program will be successful. All of these factors must take into account that, at the core, we are dealing with the actions of people.
Balance human and organizational needs
Precisely because insider threat programs are about people, senior leaders, midlevel management and even employees have an innate (and I’d say inordinate) distrust and avoidance reaction to them.
Many of their concerns are valid, which is why we must design and implement insider threat programs with care and understanding. Of course all programs must consider privacy and civil liberties while at the same time protecting the organization’s critical value data.
In my experience, the best way to overcome these internal hurdles is through a large investment training and educating everyone at the organization. Only by spending significant energy on training and education are we able to ease the distrust toward counter-insider threat programs. It’s imperative to highlight, in no uncertain terms, that the program is not "big brother" watching, but rather a well-meaning and thoughtful practice that protects and even empowers employees across the organization.
Don’t fall into a trap of thinking that if you have policies, processes and procedures in place that you can place training and education on the back burner. Being up front brings more referrals and support than you would believe, and a successful employee education program helps to strengthen all of the other measures that you employ.
Recognize and celebrate success
Another trap that insider threat practitioners fall into is only bringing bad news to the organization’s leaders. I recall several instances when I would make appointments with senior leaders and they would sigh and say: "Now what?"
I’ll never forget one response from a particularly difficult leader when he informed me that he didn’t want me bringing him any more bad news. "Can’t you bring me some good news once in a while?" I learned the hard way that I had a responsibility to measure my communications. I knew I had valuable information to share, but it was my responsibility to temper the bad news with some positives every now and then.
Most readers probably won’t know the song, but famous band leader Phil Harris captures this concept perfectly in his song "The Thing" from 1950. It’s a wonderful and fun example of a man who finds a box full of something important and valuable, but everyone he shows it to wants to stay away from it. No matter how hard he tries, nobody wants to see what’s inside.
As practitioners of insider threat programs, we often have information that is valuable, important and almost always negative. Nobody will want to see what’s in our box if it’s always full of trouble. In order to be successful in our jobs, we have to make them see, and that means bringing good news along with the bad.
I am a very vocal advocate of the value that counter-insider threat programs offer to organizations, and I’ve learned a great deal about establishing, running and overseeing successful programs. I also think it’s critical to pass on these lessons so you can learn from my mistakes.
Remember that insider threats are people problems — people who create large amounts of negative data to fill your "box" whether they mean to or not. Make sure that everyone in your organization understands what your program does and learn how to present more than just "what’s in the box" to influence the decisions that your leadership group makes.
Otherwise, you’ll wind up like the man in Phil Harris’ song:
I wandered on for many years,
A victim of my fate,
Until one day I came upon
St. Peter at the gate.
And when I tried to take it inside,
He told me where to go:
"Get out of here with that …
And take it down below."
Keith Lowry is the senior vice president of Nuix USG and Nuix's Business Threat Intelligence and Analysis division
. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, and as an information security consultant in the private sector.
