Struggles with Insider Risk Program Stakeholders

Inspiration and origin story of The Trade Secrets Network

Back in 2018, after exponentially expanding my analytical and technical skill sets year-over-year, I had the opportunity to build an insider risk program for a globally-recognized investment firm.

Like every good manager I joined many of the well-known information sharing organizations… yet I found it hard to apply what was discussed in those circles to what I was seeing in practice. That’s because many of these groups were hyper-focused on technology as a solution, instead of treating it as a tool. They wanted platforms, not people, to be able to detect and respond to insider threats, and talk often centered around that.

Insider risk management, at its core, is mitigation of threats to the human to reduce the probability and impact of witting and/or unwitting harm by the human. Technology can provide additional visibility and guardrails, but the most effective strategies and solutions are going to center on an employee’s holistic experience and relationship with the company.

Stakeholder biases

This truth is often at odds with the beliefs of stakeholders that an insider risk program reports to and must partner with. This is because insider risk programs are often born from and seen as cybersecurity teams. A premium is put on technology skills and solutions over understanding human behavior and psychology. Those who do come into an organization with relevant, holistic backgrounds are still doubted by stakeholders, and often have little authority to do anything about it.

“Just let Legal and HR know when there’s an insider threat, pass over all the information, and they’ll take it from there”—that’s what they expect.

Stakeholders struggle to believe that an insider risk professional (especially if they sit within cybersecurity) is capable and qualified to do work that bleeds into their domains (like interviewing subjects, or assessing legal risks). Worse, stakeholders’ very processes and procedures actively contribute to an increase of insider risk, due to their policies and practices (performance management, technology controls). They hold their information tight-to-chest, which results in incomplete investigations and missed opportunities for earlier interventions.

Hollywood expectations versus reality

Too many people envision (and secretly desire?) insider threat investigations to play out like Law & Order episodes—to catch “bad people.” Inspiring vigilance and loyalty in employees through training and treating them well does not make for a compelling plot even though it’s the most effective one.

Stakeholders, living out their Hollywood dreams of sticking it to the criminal, seldom want to hold a mirror up to their organization and recognize how their actions could be what’s creating them, what’s exacerbating investigations, and ultimately increasing risk for the company.

These are tough dynamics and conversations for an insider risk program to navigate. Yet every time we’d get together for one of these working groups, these issues often went unmentioned. Maybe it was because of the alliances of the working group sponsors (vendors and academic institutions), or an internalized belief that everyone else must have it figured out so it wasn’t worth bringing up.

When I broached these thoughts at dinner with another insider risk program manager, the need for discourse on this and other topics became overwhelmingly apparent. We talked for HOURS, and could have gone on all night!

The Trade Secrets Network 1.0

The next time that colleague and I got together, we invited other practitioners. Then we convinced a vendor to sponsor the event with very strict guidelines that it was not a sales forum. We fostered a community of honesty and trust between those who joined us, and drew in dozens of practitioners in the NYC area for really fun and thought-provoking discussions—dubbed “Sip & Strategize.” And when the pandemic happened, we moved it online and invited people from all over to join us. By the end of 2020 we had hosted seven events and grew an email list to 70+ members.

Then… I stopped (sort of).

In 2021, I decided to broaden my focus beyond insider risk management and “took a sabbatical” (as I call it in hindsight) to explore information security leadership. Try as I might, nothing could stifle my passion for this subject matter. I continued to be involved in conversations and contribute thought leadership in publications and conversations. I’ve also witnessed a shift in perception by companies that makes me optimistic insider risk programs will finally be empowered to do things right. Now that the divine energies of tech layoffs have put me on the search for my next opportunity, it seemed like a serendipitous moment for The Trade Secrets Network to make its return.

What you can expect

With the return of The Trade Secrets Network, you can expect thought-provoking and status-quo challenging posts just like this one from a variety of experienced practitioners in this space.

Later this fall we will be launching The Trade Secrets Network podcast, to include interviews with a variety of practitioners, allies, and experts.

And by popular demand, Sip & Strategize will return as a virtual event on a quarterly basis!

While much of the content for The Trade Secrets Network will be available through our free subscription, I do kindly ask that you consider subscribing at a paid tier to support the hours of work that goes into planning, creating, publishing, and promoting this content. Only paid subscribers will get invited to the Sip & Strategize events, which you definitely don’t want to miss!

If you have any feedback about topics you’d like discussed or things you’d like to see from The Trade Secrets Network, or you’d like to pitch for an article or the podcast, please email me at stacey@thetradesecrets.net