I've spent the past several months writing about building an effective and successful insider threat program. Over the last two months, we've looked at the topic through the lens of the three "As": advocacy, agility, and authority. Since I've already covered advocacy and agility, it should come as no shock that this month's blog focuses on the third "A": authority.
In my experience, one of the most difficult hurdles to overcome when developing a program is convincing senior leaders to give proper authority to the head of the insider threat program. For a variety of reasons, leaders often withhold authority, wanting to keep the final say on actions to themselves. However, when the organization needs to take immediate action to respond to a threat, the extended chain of command leads to untimely or unnecessarily delayed responses. The result is confusion and failure.
I can't say enough about the frustration that occurs when you know which actions to take but can't get hold of leadership to gain necessary approval to take that action. It gets even worse when multiple department heads have to agree before you can act. Inevitably, the decision is shuffled from one department head to another, waiting for consensus, while the problem escalates or even gets entirely out of control.
Time wasted, in the case of insider threats, results in more data lost or damaged.
Hamstringing the process
The major problem is that, without authority, your response to any threat will not be agile or strong enough to stop or prevent the incident. Authority to act is an essential element of success. Conversely, lack of authority leads to confusion, disorganization, and failure.
I have quoted Sun Tzu before, so pardon the repetition, but he has much to add to this discussion. "When the general is weak and without authority; when his orders are not clear and distinct; when there are no fixed duties assigned to officers and men, and the ranks are formed in a slovenly haphazard manner, the result is utter disorganization."
Cyber-adversaries don't care how we are organized; in fact, they benefit when we are not. When any organization attempts to establish an insider threat program but does not give the necessary authority, Sun Tzu's admonishment is in full effect. Responses to threats will be weak, unclear, and unresponsive, and will lead to failure.
Laying out the requirements
The National Insider Threat Task Force issued some basic rules for establishing effective insider threat programs. Three initial tasks were deemed as requirements:
- Establish a policy signed by the organization head
- Appoint a senior executive with responsibility
- Put out a plan of actions.
These are three very easy and concise steps. When I was working with US government agencies, I was amazed to see how many could not meet these requirements within a two-year window. I believe this lack of simple organization and granting of authority is the very reason why so many organizations continue to be attacked.
The issue isn’t just on the government side, either. Businesses could also learn a valuable lesson, establishing policies and granting authority to the head of the insider threat program.
By withholding authority, senior leaders also often fall into the trap of attempting to manage matters that are beyond their ability or capacity to successfully handle. Too often, I had to wait for my senior to return from leave or heard he was "too busy" to chat about something that was incredibly timely and important.
Former Secretary of Defense Donald Rumsfeld had some very sage advice that is incredibly relevant to this situation. He said, "You will launch many projects, but have time to finish only a few. So think, plan, develop, launch and tap good people to be responsible. Give them authority and hold them accountable. Trying to do too much yourself creates a bottleneck."
When establishing an insider threat program, consider that Authority is one of the three "As" of success. Without authority, your organization will not be successful countering threats, setting you up for failure and leaving you open to successful attacks.
Remember that you are the guards protecting all the data within your systems. Don’t be disorganized in your efforts, and don’t be a bottleneck. If you are in a position of power, grant the proper authority and trust your professionals. It will save you and your organization.
Keith Lowry is the senior vice president of Nuix USG and Nuix's Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, and as an information security consultant in the private sector.