Security chiefs must first get employees on board if they want to deliver effective insider risk programs, experts argued today at Infosecurity Europe.
On day two of the cybersecurity conference, Donna Goddard, head of security engineering at Adarma Security, argued that transparency is key to the success of such initiatives.
Security leaders should reframe the role of such programs to one in which the employee gains something of value, she said. This could be security expertise which ultimately may help prevent an individual from committing a sackable offense, or new behaviors which could help to safeguard employee personal information.
“It’s as much about protecting the employees as protecting the company,” she argued. “When they have confidence in you, they may actually proactively come to you with issues.”
Read more on insider risk: Home Working Drives 44% Surge in Insider Threats.
Proofpoint’s resident CISO, Andrew Rose, added that all individuals involved in incidents should be presumed innocent from the start. This is especially important as it can be challenging determining initially whether a DLP event was deliberate or accidental, when staff continue to change their ways of working in a drive for agility and efficiency.
Goddard argued that the key here was to “put objectivity around the processes” and derive as much contextual information as possible to arrive at the right decision.
It’s also important to ensure the right people are engaged in dealing with data loss/insider risk incidents, she added.
“People in the SOC don’t necessarily have the right skills sets for this kind of work,” she argued. “Is it a good use of a SOC analyst to fix what are essentially broken business processes? The data owners should be doing that.”
Rose added that if an incident was motivated by malice rather than the result of insider negligence, SOC analysts may also risk destroying evidence needed for a subsequent court case, due to their focus on neutralizing the threat at all costs.