CISO

5 Steps to Building an Insider Risk Programme

Share with your network!

Imagine this scenario: Your company experienced an insider threat. Fortunately, the insider was stopped before there was material damage. It was a common insider threat use case, too. An employee gave their notice so that they could take a job with one of your competitors. But before they left, they started downloading sensitive strategy documents to take with them.

Given this close call, insider risk now has C-level visibility within your organisation, which is something you have been advocating for. That’s the good news – and the bad news. You have the executive support, the technology, and the people that you need. But now what? How do you make it all come together?

Whether you are starting an insider risk programme (IRM) from scratch or you are looking to take you organisation to the next level of effectiveness, this blog provides the insights and best practices you’ll need to make your programme successful.

Why is an insider risk programme so important?

Before we describe the steps for an effective insider risk programme, it is important to discuss why it is so important to have a programme at all. Here are the three top reasons.

  1. You shift to a proactive approach. When you’re proactive, you can prevent insider events from happening rather than reacting to them, helping to avoid financial and brand damage.
  2. You understand your risky users and data better. When you understand who your risky users are and what data and systems are most important to your business, you can ensure that security controls are in place to protect critical information and systems.
  3. You can improve your response times. With defined processes and procedures, you can improve your response times. Clearly outlining what needs to happen when and by whom helps save time when it is needed most – especially when a cross-functional response is required.

Building your programme: 5 key steps

Here are the five steps to follow to get started with an insider risk programme or to enhance your current programme.

Step 1: Assemble the team

A successful IRM programme includes designating an executive champion, identifying a steering committee, and building a cross-functional and working team.

IRM is often referred to as a “team sport” because it gets people involved from across the business, including legal, human resources (HR), compliance, line-of-business leaders, executives and even the board of directors. Every group should work together toward the common goal of decreasing organisational risk. The executive sponsor is a critical role that supports and champions the programme and aids in overcoming blockers.

Step 2: Define your objectives

The goal of an IRM programme is to prevent an insider risk from becoming an insider threat. A risk becomes a threat when an individual in a position of trust harms the business, intentionally or unintentionally.

Start by outlining what makes your organisation vulnerable. This includes:

  • Identifying risky insiders. Risky insiders can include employees with privileged access, contractors, Very Attacked People™, executives, employees on a performance plan, and many others. (Note: Risky users will differ by organisation.)
  • Defining sensitive data. If you don’t know what sensitive data you have, you can’t secure it.
  • Outlining compliance requirements. Certain laws and compliance rules are best met through a holistic IRM programme that ensures privacy requirements are adhered to.
  • Balancing business needs. Find the balance between business needs, security controls like data loss prevention, and end user productivity.

Step 3: Identify your capabilities

Before you can plan your programme, you need to understand your current state. Your starting point is a critical assessment of your current capabilities, investments, and insider risk programme effectiveness level. This process can help you answer key questions like:

  • Do we have the detection, response, analytics, and prevention capabilities that we need? What are our limitations?
  • Do we have visibility across channels, including email, endpoint, cloud, and web?
  • What are our specific pain points or coverage gaps?
  • How can we make the best use of our existing investments when we roll out a more comprehensive programme?

Step 4: Operationalise

It is important to establish a security operations process for your analysts to react, triage, and escalate through pre-defined channels. Clearly defined operational playbooks can help drive investigation and mitigation actions.

Define the escalation process for working with HR, legal, compliance, executive leadership, and the business. And be sure that there is a process where the user base acknowledges and accepts the monitoring of risky behaviour.

Step 5: Iterate

Once your programme is operational, you can continuously iterate and evolve it based on business needs. That includes taking the actions below.

  • Develop goals and milestones to help grow the programme intentionally instead of reactively
  • Identify metrics based on agreed-upon milestones and the programme’s growth
  • Work with stakeholders to ensure that core business needs are being met and the programme can scale
  • Automate prevention and remediation so that analysts gain efficiencies and save time

How Proofpoint can help

Are you ready to build or enhance your IRM programme? Most businesses don’t have insider threat expertise in-house. So, you may want to tap Proofpoint in your efforts to combat data loss and insider risk. We can provide guidance and expertise throughout your journey to design, implement and manage an effective IRM programme.

Learn about Proofpoint’s approach to human-centric programmes with the information protection framework.