You’ve identified an employee is stealing business critical information. What now? Who needs to know? Who can take action? Is this a CEO issue or an HR issue?
Too late. “Time wasted, in the case of insider threats, results in more data lost or damaged,” says Keith Lowry, a former Pentagon chief of staff now head of business threat intelligence and analysis at Nuix.
A lack of clear authority to act on insider threats is leading to disastrous results, Lowry says, and the resulting bureaucratic fumble means malicious actors are getting away with it.
“How many CIOs and IT leaders are prepared to take on personnel issues about somebody who’s caught doing something wrong inside a company?” Lowry asked journalists in Sydney last week. “They all say that’s not my job, I just present the facts, it has to go someplace else. But when a threat demands an immediate reaction, untimely or unnecessarily delayed responses create confusion and failure.”
Lowry knows a thing or two about insider threats. He led the Edward Snowden counterintelligence damage assessment team and was a lead investigator into Chelsea Manning. Before joining Nuix he managed counterintelligence and insider threats at one of the world’s biggest intellectual property honeypots; the US Food and Drug Administration.
At the FDA, he was the authority to act. As he remembers: “I didn’t have to ask permission for anything.”
Lowry recommends an insider threat program is put in place after leadership-wide consultation, with authority appointed to its lead to act when necessary.
“The policy development of a program has to begin with all these players in mind; you’ve got to bring in legal, chief council, HR administration, the CISO, the CSO. Everybody has to come together and realise they all play an extremely important role,” says Lowry.
“But when somebody is penetrating the inside, all of a sudden, it gets elevated to a person who can go anywhere without restriction. We need one overarching person who has the authority and advocacy of the organisation and take this [insider threat] event wherever it goes.”
Giving this authority to a suitable person is one of the most “difficult hurdles to overcome” for many organisations, adds Lowry.
“By withholding authority, senior leaders also often fall into the trap of attempting to manage matters that are beyond their ability or capacity to handle,” he says. “Waiting for a senior official to return from leave or hearing they are ‘too busy’ to chat about something incredibly timely and important inhibits every effort to combat insider threats.
“I don’t pretend that [the insider threat program lead] should replace a CISO or CIO because they all have very important roles and functions. But what happens in these cases is the events span all of those pieces and nobody is prepared to take it on and look at it from a holistic approach. What happens is people are then stymied in their ability to be agile enough to cross all of the boundaries at once.”
The issue with many organisations’ approach to insider threats to date has been their perception of the risk as a technology problem, says Lowry.
“We have forgotten the essence of people in all of this,” he says. “It’s about people using technology. It’s not about technology by itself. Too many people focus on the fact that it’s all technology and therefore the answer to it must be a piece of technology.”
For that reason, the insider threat program head must report directly to the CEO or COO, says Lowry.
“It cannot be something that’s relegated and put into the IT department,” he says. “Not that the IT department is unimportant, but the minute you put responsibility for blocking individuals underneath a technology department all of a sudden it becomes a technology problem instead of a person problem.”