Insider Threats: How CISOs and HR Can Collaborate Effectively

This article is available in audio format, click play above to listen to the article. 

Insider threats, once a secondary concern in the broader security strategy, have now become a focal point due to their potentially devastating impact. This evolution was highlighted in a recent discussion between Tim Byrd, CISO of M&T Bank, and Dorene Rettas, co-founder of the Cyber Security Tribe. Their conversation underscored the necessity for organizations to adapt to the changing nature of these threats and to foster closer collaboration between key departments within an organization, particularly between the CISO and Human Resources (HR). 

Tim Byrd, CISO of M&T Bank

The Changing Nature of Insider Threats 

Insider threats are no longer viewed as isolated incidents of data loss or sabotage. Instead, they are recognized as complex, multifaceted risks that require comprehensive strategies to manage effectively. The traditional view of insider threats primarily centered around data loss prevention. Today, this view has expanded to encompass a broader understanding of employee behavior, motivations, and risk indicators. 

One significant shift is the recognition that insiders can be both intentional and unintentional threats. While the intentional insider, who deliberately seeks to cause harm or profit from unauthorized data access, is a rare but serious concern, the unintentional insider is far more common. These are employees who, through negligence or lack of awareness, expose sensitive data or create vulnerabilities within the system. Addressing these unintentional threats requires robust training programs and a culture of security awareness throughout the organization. 

Leveraging Technology and Data 

The advancement of technology plays a pivotal role in modern insider threat programs. Byrd reflects on the early days of his career when tools and solutions for managing insider threats were rudimentary at best. Today, the availability of sophisticated technological solutions allows for more effective monitoring and analysis of employee behavior. Innovations such as automated risk scoring and advanced data analytics enable organizations to proactively identify potential threats before they materialize. 

For instance, modern solutions can flag risky behavior patterns, such as an employee accessing sensitive data outside of normal working hours. These indicators, when aggregated and analyzed, provide a comprehensive risk profile for each employee. This approach enables CISOs to prioritize monitoring efforts and deploy resources more effectively. 

The Critical Role of CISO and HR Collaboration 

A significant insight taken from the conversation is the necessity of close collaboration between the CISO and HR. Historically, insider threat programs were heavily focused on cybersecurity tools and protocols. However, effective management of insider threats requires a holistic approach that integrates insights from HR, physical security, and other relevant departments. 

Byrd emphasizes that a successful insider threat program depends on early and ongoing collaboration with HR. This relationship is crucial for:   

• Behavioral Insights: HR can provide valuable insights into employee behavior and sentiment, which are critical for identifying potential insider threats. Understanding the human element behind security incidents is essential for developing effective preventative measures. 
• Building Trust: Establishing a strong partnership with HR requires building trust and demonstrating the value of security measures in protecting both the organization and its employees. HR is a critical partner to ensure that the right employment policies are put in place to proactively educate employees on expected behaviors. 

Conduct Risk and the Future of Insider Threat Programs 

The concept of "conduct risk" has emerged as a significant factor in the evolution of insider threat programs. Stemming from high-profile incidents and scandals, conduct risk encompasses a broader range of behaviors and ethical considerations beyond traditional cybersecurity concerns. This new risk type requires organizations to consider a wider array of factors when assessing insider threats, including physical security and fraud. 

The integration of conduct risk into the broader risk management framework represents a crucial step forward. This approach aligns with the evolving understanding that insider threats are not solely a cybersecurity issue but a complex interplay of various risk factors. Moving forward, organizations must ensure that their insider threat programs are comprehensive and adaptive, incorporating insights from multiple disciplines and leveraging advanced technological solutions.