In the world of insider risk management (IRM), how an employee views their relationship with their company is as important as how the company views its relationship with the employee.
This might sound like a simple equation, in which mutual back-scratching and support equal success, comfort, and tranquility. But from this set of jaded eyes, it’s not simple at all — and it’s an area CISOs should pay increasing attention to today.
The employee-employer relationship involves a number of people — executives, managers, supervisors, colleagues — all of whom influence how any given employee (or contractor) may view their position in the corporate ecosystem, and all of whom may be “grading” the individual contribution of the employee.
This tends to make the actual equation more complex than any polynomial algebraic equation. Yet like most algebraic equations, a solution exists.
Last year Pew Research issued a report that has not percolated to the top of the discussion on insiders and their behaviors. The report found that only half of US workers are very or extremely satisfied with their jobs. More pointedly, those who received regular feedback from their managers were much happier than those who didn’t.
These factors must be part of every CISO’s IRM strategy.
Watch for discontent in the shadows
When it comes to IRM, CISOs focus predominantly on technologies: user entity behavior analytics (UEBA), security information and event management (SIEM), data loss prevention, and the like. There isn’t as much emphasis on stepping outside the view of their colleagues as streams of user data, to instead see them as people with complex lives and various pressures placed upon them.
But discontent can brew in dark places, some of which may manifest into a risk and then morph into a threat. If CISOs pay no attention to the human side of the equation, they are exposing their organizations to risks that might otherwise be avoided with a little work.
CISOs themselves are no strangers to discontent. Indeed, a 2024 IANS/Artico report highlighted that three of four CISOs are ready to exit their current role. No bones about it, the cybersecurity field is tough and can take a toll on people. If that’s not a signal to pay more attention to people throughout the organization, I don’t know what is. A good leader should know that if they’re stressed and struggling, their teams are most likely in the same boat.
Lack of feedback can lead to dissatisfaction
The Pew report, which followed the years cataloged as the “great resignation,” breaks down employee satisfaction along a variety of vectors. No surprise, lower levels of satisfaction surround compensation, benefits, opportunity for promotion, training/development, and feedback on performance.
Higher scores came in with respect to day-to-day tasks, colleagues, and relationships with supervisors or managers. Where the Pew data diverges is along generational divides, with those who are my age, 65-plus, tending to be more satisfied (we are on the right side of the ground after all) than those in the 30-49 bracket.
Sadly, over 55% of respondents say they don’t have someone at work whom they consider a mentor. And 28% are of the opinion that their employer doesn’t really care much about them at all.
Let that sink in. If the employee thinks their employer doesn’t care, that lack of interest might very well be reflected as if in a mirror — the employee won’t care and as such, we have an unnecessary and preventable risk to the entity.
The report gives the solution to the reader: More engagement between workers and their management/supervisor and more feedback given/received equates to greater satisfaction (lower risk).
Where dissatisfaction meets opportunity
The recent DTEX Systems Insider Risk Investigations Report (Foreign Interference: Special Edition) found that 70% of DTEX’s customers had reported approaches from foreign entities, including nation-state actors.
As a long-in-the-tooth former intelligence officer, I am not surprised by this data point, as such activity has been ongoing for years. Only now are entities understanding how the world of nation-state espionage works, and how hostile intelligence entities seek out vulnerabilities in their target group.
This is where it is important for CISOs to be part of the entity-wide team involved in such issues. They should not be operating in a vacuum, relying only on the “data produced” persona. An anomalous behavior reported to human resources, for example, may not manifest itself in online or device behavior.
For example, in the mid-1980s CIA officer Edward Howard prepared for a sensitive assignment in Moscow. As part of the routine processing for the assignment, a polygraph was administered. During this polygraph, it is alleged Howard confessed to an incident of petty theft — stealing cash out of individuals’ purses. He was terminated but went on to do tremendous national security damage. His behavior wasn’t seen, wasn’t suspected, yet when it became known action was taken.
Howard took steps to avoid detection and successfully defected to the Soviet Union and was resettled. Some years later, he accidentally fell down the stairs in his cottage, broke his neck, and died.
The steps he took to breach security employed his operational acumen in evading notice, and indeed, the DTEX report shows us that 77% of malicious insiders took steps to conceal their activities.
Staying safe from insider threats hinges on human engagement
This is not unusual. The civilian US Navy nuclear engineer, Jonathan Toebbe, who tried to sell secrets to Brazil (who wanted nothing to do with him and brought the FBI into the mix), revealed in his effort to volunteer the sensitive and highly classified information he had received training.
“I was extremely careful to gather the files I possess slowly and naturally in the routine of my job, so nobody would suspect my plan,” Toebbe later said. “We received training on warning signs to spot insider threats. We made very sure not to display even a single one. I do not believe any of my former colleagues would suspect me if there is a future investigation.”
And they didn’t. Had he chosen a country other than Brazil, one may speculate that he would have never been discovered.
Yet, in hindsight, with both Toebbe and Howard, there were other signals, human signals that may have been detectable but weren’t detected. That would be reason enough to look at your team, identify anomalous behavior, and see whether there is a risk manifesting or if the individual is simply quirky.
Promote a culture of see something, say something
No one likes to be a snitch. But we all should keep in mind that highlighting a violation of policy, procedure, or odd behavior outside the norms isn’t snitching; it is proactively taking action to resolve a possible risk.
This is where the good news exists. Again, pulling from the DTEX report, 72% of investigation requests in which the company (DTEX) was asked to assist their customer in resolving a problem — that is, determine whether there was a risk, a threat, or the situation was benign — were initiated by their customer’s human resource department.
A culture of see something, say something is necessary for every entity and absent such, the CISO and others holding the responsibility and accountability of protecting the entity’s assets will be operating in the dark.
Insider risk management is a team effort, with the CISO holding key technological ingredients to successful implementation. Yet not all the key ingredients are to be found in data — the human is in the mix as well, and it is wise to remember that a human problem requires a human solution.