17 August 2014

Insider Threat: CSO Priorities...

If you are the CSO of a Fortune 50 company these days you have a few top of mind Operational Risk Management (ORM) priorities. There is only so much you can do with the resources you have been given, to preempt attacks on your enterprise regardless of the origin, internal or external. The time and resources for exercising plans and testing contingencies are getting more scarce. So where and how do you apply your knowledge and priorities to gain the most effective results?

In alphabetical order, here are some of the known attack methods to bring severe economic and human losses to bear on your business and the homeland:
  • Aircraft as a weapon
  • Biological Attack: Human Disease, Livestock, Crop
  • Chemical Attack
  • Cyber Attack
  • Food or Water Contamination
  • Hostage Taking
  • Improvise Explosive Device (IED)
  • Maritime Vessel as a Weapon
  • Nuclear Attack
  • Radiological Dispersal Device
  • Standoff Weapons: Guided
  • Standoff Weapons: Unguided
  • Vehicle-Borne Improvised Explosive Device
Now one could discuss the probability of each of these threats to determine the best strategies for preparing for one vs. another. More importantly, you could group these into clusters so that investing in prevention and preemption activities and tools would impact more than one attack method. Yet as you analyze your own specific critical infrastructure assets in your enterprise, you will then see those attack methods that will have the greatest affinity for that location or type of asset.

It is well known that the private sector owns and operates a majority of these critical assets for national security, now estimated around 85%. If you look at the list of known attack methods and realize who is "perceived" to be responsible for protecting these assets, the problem becomes more clear. The private sector expectation that the government or public sector is going to protect the critical assets that the private sector owns is the going logic. How far from the truth and reality could this perception be today?

As the Chief Security Officer (CSO) of a Fortune 50 company you no doubt have already cataloged your facilities and sub-categorized the assets within each of these facilities. You have included the "Intellectual Property" (IP) considerations for each location such as key people, R&D, Engineering, Software Development and others. You understand the value of these tangible and intangible assets as it pertains to the survivability of your organization. You have already developed the systems to recognize the moves, adds and changes to these facilities and assets so the portfolio of critical infrastructure and intellectual assets is up to date in real-time.

For many of you the last big push was to make sure that the Continuity of Operations and BCP Plans or Disaster Recovery strategies are in place to provide the peace of mind for "What if" scenarios. Your off site hot back-ups and mirrored data are functioning perfectly. The exercises have told you that operating these plans when the time comes will be touch and go but you are confident that you will get through it.

Now let's go back to our original question. So where and how do you apply your knowledge and priorities to gain the most effective results?

Your worst enemy now is your perception that the government is there to protect you first and to keep your private sector assets safe before the company next door or across the street. Your complacent attitude towards sharing vital information with the public sector authorities in your city, county and region is where you have your greatest vulnerability. How can these people who serve the local, state and federal agencies know anything about what is valuable to you if you don't tell them?

You see, it doesn't matter what your adversaries utilize as the their favorite attack method to do you harm. Of course they will want to use the ones that will have the most economic impact on our nation and it's people. Yet, without the continuous exchange of information flow from the private sector to those government officials, your business is just another casualty waiting to happen.

So if the government is working on the external threat through the Department of Homeland Security (TSA), Border Patrol, Coast Guard, CERT and the FBI on Counter Terrorism, Counter Intelligence and Cyber Crime what should you the CSO at your Fortune 50 company be focused on? The Insider Threat. Pure and simple.
“An individual with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”
  • Due to a lack of hard data, threat definition remains difficult;
  • While education and awareness can be provided, cultural change remains more difficult and requires: 
  • Investment in structured programs and risk management; 
  • Corporate culture where trust does not run counter to prevention programs; and 
  • Improved workforce communication and cooperation so targeted efforts can address insider threats
  • Use of background checks varies among sectors and are not universally accepted; regulation is controversial; and
  • Multiple legal environments complicate Insider Threat mitigation strategies, not only domestically, between Federal, State, local jurisdictions, but also and more significantly, for those companies operating in multinational environments, complicating cohesive or comprehensive policy efforts.
The Insider Threat is real and requires continuous vigilance across the private sector. Secondly, the interface with your local first responders and law enforcement should be established early and often. Establish your own "Homeland Watch" mechanisms in your business park or metro area mapped to the local fire and police substations. Understand and get to know how they prioritize their response and investigations of suspicious activity and how it could impact you.

Finally, get very familiar with the NIPP. It could be your key to better understanding the mindset of the public sector and safeguarding your corporate assets.

No comments:

Post a Comment