CISO

5 Steps to Building an Insider Risk Program

Share with your network!

Imagine this scenario: Your company experienced an insider threat. Fortunately, the insider was stopped before there was material damage. It was a common insider threat use case, too. An employee gave their notice so that they could take a job with one of your competitors. But before they left, they started downloading sensitive strategy documents to take with them.  

Given this close call, insider risk now has C-level visibility within your organization, which is something you have been advocating for. That’s the good news—and the bad news. You have the executive support, the technology and the people that you need. But now what? How do you make it all come together?  

Whether you are starting an insider risk program (IRM) from scratch or you are looking to take you organization to the next level of effectiveness, this blog provides the insights and best practices you’ll need to make your program successful.  

Why is an insider risk program so important?  

Before we describe the steps for an effective insider risk program, it is important to discuss why it is so important to have a program at all. Here are the three top reasons. 

  1. You shift to a proactive approach. When you’re proactive, you can prevent insider events from happening rather than reacting to them, helping to avoid financial and brand damage.  
  2. You understand your risky users and data better. When you understand who your risky users are and what data and systems are most important to your business, you can ensure that security controls are in place to protect critical information and systems. 
  3. You can improve your response times. With defined processes and procedures, you can improve your response times. Clearly outlining what needs to happen when and by whom helps save time when it is needed most—especially when a cross-functional response is required.  

Building your program: 5 key steps 

Here are the five steps to follow to get started with an insider risk program or to enhance your current program.  

Step 1: Assemble the team 

A successful IRM program includes designating an executive champion, identifying a steering committee, and building a cross-functional and working team.  

IRM is often referred to as a “team sport” because it gets people involved from across the business, including legal, human resources (HR), compliance, line-of-business leaders, executives and even the board of directors. Every group should work together toward the common goal of decreasing organizational risk. The executive sponsor is a critical role that supports and champions the program and aids in overcoming blockers. 

Step 2: Define your objectives 

The goal of an IRM program is to prevent an insider risk from becoming an insider threat. A risk becomes a threat when an individual in a position of trust harms the business, intentionally or unintentionally.  

Start by outlining what makes your organization vulnerable. This includes:  

  • Identifying risky insiders. Risky insiders can include employees with privileged access, contractors, Very Attacked People™, executives, employees on a performance plan and many others. (Note: Risky users will differ by organization.) 
  • Defining sensitive data. If you don’t know what sensitive data you have, you can’t secure it.  
  • Outlining compliance requirements. Certain laws and compliance rules are best met through a holistic IRM program that ensures privacy requirements are adhered to.   
  • Balancing business needs. Find the balance between business needs, security controls like data loss prevention, and end user productivity.  

Step 3: Identify your capabilities 

Before you can plan your program, you need to understand your current state. Your starting point is a critical assessment of your current capabilities, investments and insider risk program effectiveness level. This process can help you answer key questions like:  

  • Do we have the detection, response, analytics and prevention capabilities that we need? What are our limitations? 
  • Do we have visibility across channels, including email, endpoint, cloud, and web?   
  • What are our specific pain points or coverage gaps?  
  • How can we make the best use of our existing investments when we roll out a more comprehensive program?  

Step 4: Operationalize  

It is important to establish a security operations process for your analysts to react, triage and escalate through predefined channels. Clearly defined operational playbooks can help drive investigation and mitigation actions. 

Define the escalation process for working with HR, legal, compliance, executive leadership and the business. And be sure that there is a process where the user base acknowledges and accepts the monitoring of risky behavior. 

Step 5: Iterate 

Once your program is operational, you can continuously iterate and evolve it based on business needs. That includes taking the actions below.  

  • Develop goals and milestones to help grow the program intentionally instead of reactively 
  • Identify metrics based on agreed-upon milestones and the program’s growth  
  • Work with stakeholders to ensure that core business needs are being met and the program can scale 
  • Automate prevention and remediation so that analysts gain efficiencies and save time 

How Proofpoint can help 

Are you ready to build or enhance your IRM program? Most businesses don’t have insider threat expertise in-house. So, you may want to tap Proofpoint in your efforts to combat data loss and insider risk. We can provide guidance and expertise throughout your journey to design, implement and manage an effective IRM program.   

Learn about Proofpoint’s approach to human-centric programs with the information protection framework.