Background: The IC Analyst-Private Sector Partnership Program, sponsored by the Department of Homeland Security's Office of Intelligence and Analysis, on behalf of the Director of National Intelligence, facilitates collaborative partnerships between members of the private sector and teams of experienced Intelligence Community (IC) analysts. The areas of focus selected for this year's program, based on intelligence priorities, were: Energy Security, Money Laundering, Identifying and Countering Insider Threats, Air Domain Awareness, Identity Theft and Illicit Activity, Game Changing Biotechnology. Our group, based on individuals experience and expertise, was selected to work on the Insider Threat topic.
Deliverable: Our group set out to develop a resource that provides the essential elements required to initiate an insider threat program. To accomplish this, our group relied on several sources including: personal experience in the public and private sectors, interviews with industry experts, overviews of insider threat programs and countless discussions among team members. The 13 essential elements were developed to follow a timeline from the first step (Initial Planning) to the last (Feedback/ Lessons Learned). In practice the processes required are iterative and will require coordination and communication throughout.
In addition, we reviewed more than 200 insider threat publications, and mapped them to the 13 Essential Elements. The degree of relevance to each element is also indicated in the spreadsheet. We believe that this spreadsheet will serve as a useful resource for any organization that is creating or maturing an insider threat program.
Significant theft by trusted insiders or the loss of sensitive data by cyber intrusion were often drivers for establishing a corporate Insider Threat program. It took one company five years and a series of incidents before its senior leadership committed to investing in an Insider Threat program.
Individuals setting up new programs should tap into existing resources as a first step. Some large defense contractors have already implemented some of the functions of a basic Insider Threat program, but most have not formalized the program or integrated it across the organization. A good first step is to determine what resources and programs already exist in security, counterintelligence, information technology (IT), legal, and human resources (HR) before purchasing or building new capabilities. Integrating and building upon existing resources saves time and minimizes the costs associated with getting a new program off the ground.
Both pilot and full-scale approaches are viable. One company decided to pilot a program and successfully used suspicious activity they identified during the pilot to justify further investment. A second company went for full program investment and implemented an enterprise-wide deployment upfront. Both approaches worked for their respective corporate cultures and their approaches to managing risk.
While corporate security, CI, or IT security offices tend to lead these efforts, program leaders stressed the importance of getting the right players and functional areas involved with program development, oversight and execution. A team approach is vital.
Examples include: IT, human resources (HR), legal, privacy, ethics, communications, security, CTO, and key business units. One Chief Security Officer (CSO) was adamant about involving the legal department from the earliest stages of program development. This CSO noted that it was helpful to have a single point of contact from the legal department who can work on intellectual property (IP) protection, CI, and insider threat matters.
Senior leadership buy-in must be demonstrated by both initial support for the program and a willingness to make meaningful investments in resources to build essential capabilities. Buy-in requires the decision-making ability to hire the right people, buy or develop technical tools, and create processes for internal stakeholders to implement and oversee the program. It also involves defining measures of success and outcomes. Finally, leadership is directly involved in communicating with the workforce.
One suggestion repeated by several experts for obtaining and sustaining buy-in is to develop a compelling presentation using real insider threat cases from inside the organization itself, or from other organizations in the same sector. Including dollar losses and other business impacts of those cases (reputation loss, stock drops, lost market share, etc.) can help make a business case for insider threat program.
The risk management process involves identifying and prioritizing critical information and assets, as well as people (employees/vendors/partners) in high-risk groups. In addition, you must identify who has access to the “crown jewels,” as well as who should have access. Finally, processes should be implemented for maintaining appropriate access to critical assets over time; employees tend to accumulate an increased level of access over time, and access is not usually taken away when it is no longer needed.
During the risk management stage, one company invested six months to interview over 400 engineers to obtain consensus on protected “classes” of information. This inclusive process played an important role in obtaining buy-in from the workforce when implementing the program. Cross-functional communication and collaboration is essential for establishing an insider threat program.
One CSO felt that hiring experienced CI/law enforcement professionals was the key. One can build a solid program with only a few people if they have the right blend of IT, CI and law enforcement experience. Another company preferred hiring a greater number experienced IT professionals over experienced CI/law enforcement professionals because it was easier to teach IT persons to develop a CI/law enforcement mindset than the other way around. Ultimately, Insider Threat detection and response requires a blended approach.
Mature insider threat programs in several companies followed a three-tier governance model. The first tier involves engaging corporate leadership, potentially through presenting at an annual meeting and securing an initial commitment to establish an insider threat program. The second tier involves establishing an advisory and review committee, usually composed of vice-president level officials from human resources, privacy, ethics, security, and other relevant departments. Finally, the third tier is a steering committee at the senior manager level responsible for general oversight of the program.
Several companies highlighted the importance of corporate communications. One CSO noted, “An internal corporate communications strategy is absolutely vital.” The CSO stated that you cannot afford an ill thought-out communications plan, as it will destroy employee support for the program just as much as “false positives.”
Several companies expressed the importance of having the CEO conduct or express support the initial rollout messaging. These companies used their corporate communications experts to craft messaging and message delivery strategies. One company even used employee focus groups to test reactions to draft messaging.
Most companies emphasized starting with a general safety, security, and IP protection message. Employees need to understand that protecting the company’s Intellectual Property, reputation, and financial health directly impacts jobs, stock option prices, etc. One CSO stated, “I’m trying to focus on the 1 percent of bad actors who threaten your lab’s reputation and future existence…and I need your (i.e. 99 percent’s) help.”
A common theme in company interviews was the need to create a high risk user group based on employee separations, reductions in force, poor performance reviews, and other factors to prioritize threats. One expert mentioned a 30 day rule for increased monitoring prior to a termination or derogatory personnel action. Organizations can also alter or strip such employees of access to sensitive information as a risk mitigation measure.
Several companies noted that it’s important to have both technical/IT and reporting program components. One CSO indicated that 80 percent of leads originated from electronic-monitoring & audit programs while the remaining 20 percent originated from employee reporting or other traditional security avenues.
Several program managers confided obtaining access to relevant underlying data streams was their hardest challenge. Often, the technical aspects are simpler than identifying relevant data streams, obtaining access to those data streams, and getting internal information sharing policies approved. Companies specifically cited challenges with:
Four companies in the study invested internal resources to build their own tools. These tools combine technical data with non-technical data, including HR information. One company markets their tool to government agencies and other companies. Two others utilize their tools to enhance and integrate their own Insider Threat capabilities. One company’s tool can detect changes in patterns of behavior by performing behavioral analysis and profiling by job function to identify outliers. A few organizations have implemented risk scoring mechanisms in their technologies.
The theme that technology is a tool rather than a complete solution was emphasized during several discussions.
One CSO noted: “You must have clear authorities and a capability to do something once red flags are identified. This includes some sort of internal capability or process for figuring out if there’s actually a problem and (ideally) what type of problem it is. Once you understand what’s going on, you have to take some sort of action.”
Too much information can lead to false positives which waste investigative resources and deflect attention away from more serious indicators. An Insider Threat program must be designed to minimize false positives, and the process of handling of false positive events should be worked out in advance.
One CSO initiated a quarterly report to show progress and sustain buy-in among stakeholders. It is important to provide metrics to management as an effective way of gaining momentum and support for the program. Another CSO stated that it is not enough to simply identify problems and increase cases. Additional study is needed to illustrate best practice in demonstrating return on investment in insider threat programs.
Multiple experts recommended creation of a mechanism, such as a secure forum, for Insider Threat practitioners to build trust and share lessons learned. Feedback based on case studies ensures that senior leaders and program managers can make appropriate risk management decisions and refine their program. Equally important, case based examples will greatly improve communication, training, and awareness materials and efforts.
Intelligence and National Security Alliance, 4301 Wilson Boulevard, Suite 910, Arlington, VA 22203 Phone: (703) 224-4672, Fax: (571) 777-8481.