24 September 2017

OSAC: The Insider Threat...

In November 2007, the "Insider Threat" was on the minds of Global Security Executives that year as evidenced by a half day emphasis on the current trends and issues.  We wonder what will have changed over a decade later, at the 2017 OSAC Annual Briefing.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm.

In a converging organization with outsourced services around every corner, the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year!

You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:
1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective and comprehensive operational risk program;

3. Lack of adequate decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.
The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:
  • Is your policy enforced fairly, consistently and legally across the enterprise. 
  • Would our employees, contractors and partners know if a violation was being committed? 
  • Would they know what to do about it if they did recognize a violation?
If you don't know the answers to these questions, then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management.

Perhaps it is time for the Private Sector to get serious about the "Insider Threat."  The U.S. Department of Defense has been on point with the issue now for years:
The Defense Department is preparing to add 500,000 employees to its continuous evaluation pilot by Jan. 1 as part of DoD’s effort to add rigor to the security clearance process.

Daniel Payne, the director of the Defense Security Services, said Sept. 20 that the additional half-million employees would bring the total uniformed and civilian employees enrolled in continuous evaluation to 1 million. There are more than 4.3 million cleared employees and service members across the government, including 1.3 million at the top-secret level, according to the Office of the Director of National Intelligence’s 2015 report.
Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for, are the means to gain a larger budget for their departments and to be able to invest in new "Insider Threat" technologies and tools.

Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively...

No comments:

Post a Comment