So much of the noise today seems to still focus on the adversary/hacker breaking the perimeter and accessing a network. While a huge problem,I wanted to shed more light on the insider threat problem and better understand some potential trends. I interviewed three experts providing perspective from the technical, legal and compliance and consulting viewpoints. Experts include:
Randy Sabettis vice chair, privacy and data protection practice group at Cooley Matt Olsen is president at IronNet Cybersecurity, former director at NCTC Bob Gourley is a partner at Cognitio, former CTO at DIA Since cyber should be a team sport in all companies, is the better analogy soccer, football, or something else?Randy Sabett-- The analogy would be toward something just slightly different…rugby. Both rugby and cyber have been around a long time. Both involve the teams getting messy and doing things in a fluid manner. Also, though I’m not a rugby player or insider and so don’t understand all of the rules, I think about cyber today as being like a big scrum. The good guys and the bad guys all converged together on the network trying to maintain their position, though every now and again someone breaks free and scores (analogous to a successful breach if it’s the hackers and successfully defending against a breach if it’s the enterprise).
Matt Olsen-- There’s no doubt that cyber requires a team effort. So, I think the best sports analogy for cyber security is basketball. It is almost March Madness in college basketball, when the intensity of the games heats up. What you notice on the court is that the teams with the best defenses perform best during the tournament. The key point here and why I think basketball is the best analogy for cyber security is that a good defense is often the springboard to a good offense. Defense leads to scoring opportunities. By analogy, a strong defense, protecting a company’s networks and data, can lead to opportunities on the offense that is, revenue. Cyber security has become a differentiator in the marketplace. Companies with the best defense in cyber also have the best chance of success on the offense.
Bob Gourley-- Sporting analogies are great conversation starters to discuss the topic of cybersecurity. Business leaders need to think through how to coach a broad team in reducing digital risk. CEOs need all their top executives to know they have a role in reducing digital risk and all should understand they face a dynamic adversary who is also fielding a capable team.
In your experience, whose direct responsibility in large companies is insider threat? Both proactive and reactive.Randy Sabett-- I find thatinsider threat responsibility usually falls within the purview of the CISO for proactive purposes and the CISO, VP of HR, and CFO for reactive purposes. I’m not sure that most organizations have thought of this as a separate responsibility yet, though that may change over time.
Matt Olsen-- On one level, protecting against insider threats is everyone’s responsibility. I know this sounds like a platitude, but the fact is that every employee of a company has the responsibility to protect data from threats that lurk inside the company. Often a coworker, rather than a supervisor, is in the best position to identify and stop an employee bent on stealing company secrets. In terms of direct responsibility, the Chief Information Security Officer or Chief Security Officer typically shoulders the burden of preventing employees from threatening a company’s information. This is accomplished through policies, procedures, and technologies all working in combination to protect the data and information assets of companies.
Bob Gourley-- The greatest resource of a company is its people. The role of the Human Resources leader is to help the CEO in managing that great resource, but all line of business executives care for and lead their people. In the case where a person becomes malicious the HR department and line of business executive both have huge responsibilities, but they will need support of IT and security. How this plays out will vary from company to company. Our recommendation for larger firms is to appoint an insider threat manager who can help HR, IT and the line of business executives think through policies to mitigate threats in advance and, if the unthinkable occurs, help lead actions across boundaries to detect, respond and recover.
Do you think companies will eventually create a VP Insider Threat position?Randy Sabett-- Companies that have a large insider threat concern might consider such a position, but it might better fit under a slightly broader VP of Internal Security position (i.e., someone focused on only the internal aspects of cyber). Correspondingly, there would then be a VP of External Security focusing on threats from outside the network.
Matt Olsen-- That’s an interesting idea, and I do think the problem of insider threats has risen to the level that companies will be looking at organizational changes to protect their data. According to one study, 69 percent of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months. And 43 percent of businesses need a month or longer to detect employees accessing files or emails they're not authorized to see. At the same time, I would urge companies to make “insider threat” protection a shared responsibility, rather than creating a new executive position dedicated to this problem, which may send the wrong message to the workforce. Protecting sensitive data is the responsibility of coworkers, front-line supervisors and company executives alike that should be the overriding message about stopping insider threats.
Bob Gourley-- Thinking of that sends a chill up my spine. Would we ever get to the point in American business when we would need to watch for that many malicious people? We have all been tracking a rise in leaks and unauthorized activity and it may rise to the point of a crisis in many firms, but the way to address growing challenges like this should be to do it within the existing leadership structure. Creating a separate position may make it seem like the problem is being addressed but if this is not done in a holistic way little progress will be made. So, my hope is we never see a position of VP of Insider Threat. And if we do see that in a company I'm shorting that firms stock.
Do you think continuous monitoring will become common practice for directors, officers, and/or employees?Randy Sabett-- I believe continuous monitoring can be deployed across all parts of an organization as a way of determining not only compliance but also security on a real-time or near real-time basis. As such, any position that has compliance in its list of responsibilities should consider CM. In addition, the security function should consider CM as a way of gaining more granular insight into the overall security posture of the organization.
Matt Olsen-- Most large companies with sensitive data have adopted technologies that enable continuous monitoring of devices on their networks. This is necessary to stop both insider threats and external actors. Network monitoring to protect company networks does not mean intrusive “big brother” reading employee emails. Cyber security is achieved by analyzing traffic metadata at network speed for anomalous activity on the network, and then rapidly identifying when that anomalous activity is malicious so that security operators can intervene. This approach is effective in addressing