Implementing a Phased Approach

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
36 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:01
Mhm.
00:02
Yeah,
00:04
yeah,
00:06
yeah.
00:10
Insider threat covers a wide range of risks, and there are many resource is or guides available to you.
00:18
Some may have a broader scope, and some may have a more sophisticated approach than you need for your organization,
00:26
Not on Lee. Can These resource is be overwhelming, but trying to build a comprehensive insider threat program or I t P all at once,
00:36
maybe a recipe for failure
00:39
to help with this clearly define a few phases in the maturity or capability of your program based on your objectives.
00:47
It's okay to start with the low hanging fruit or the most basic use cases.
00:53
It's these initial phases that will help you test and refine your processes. So let's hear from Peter Hodja, Georgia, on how an incremental approach can help drive success.
01:07
Failure to launch it could be the death sentence of a fledgling insider threat program.
01:11
But how does it happen? And how can you avoid the common mistakes that get people stuck?
01:17
A phased approach leads to incremental learning about a variety of important subjects.
01:22
First and foremost, you will learn about the priorities, use cases and organizational considerations that will have an impact on your program.
01:30
Those crown jewels you identified turns out no one else thinks they're important,
01:37
that great data feed that was going to tell you about all file activity.
01:41
Turns out that tool doesn't work and it's being decommissioned.
01:45
The great use case about fraud
01:47
turns out the Finance Department already has a fully baked solution for it.
01:52
These might be frustrating items to come across during a research and design phase of your program,
01:57
but wouldn't it be much worse to find out during your deployment phase after Ah, whole lot of costly and time consuming decisions had already been made,
02:06
avoiding costly errors and purchasing and tool selection?
02:10
Easier said than done.
02:13
It's easy to jump into a purchase when a particular vendor or security provider seems to have the magic bullet for insider threat.
02:22
Here it code 42. We feel like we have an excellent solution for many customers,
02:28
but we acknowledge that we don't do everything.
02:30
Success for both insider threat programs and security vendors is a result of good research,
02:38
transparency of needs and capabilities, and lots of planning and collaboration.
02:44
With a phased approach, you could be methodical in your vendor selection and ensure that you have a thorough understanding of technical requirements and dependencies.
02:54
It also gives you time to assess your current security stack and determine how to leverage existing investments
03:02
and identify complimentary tools that will integrate well with current infrastructure.
03:08
So
03:09
what should you do when defining your phases
03:13
again? Peter,
03:15
Without getting too tied up in all the elements of a successful phased approach,
03:21
it's worth mentioning a couple of the elements that will help define and scope each phase
03:25
clearly defined success, criteria and metrics.
03:30
The idea behind the phases is to more narrowly define what you need to accomplish and be hyper focused on those objectives.
03:38
You should try to be as specific as possible with measurable outcomes.
03:42
It's worth looking up the smart goals method, if you aren't familiar with it. Specific,
03:47
measurable,
03:49
attainable,
03:50
relevant and time based. Smart.
03:53
Your success criteria should also include the milestones or benchmarks that must be met in order to proceed to the next phase.
04:01
Don't get ahead of yourself
04:03
being appropriately staffed and resourced.
04:06
Having clearly defined success, criteria and metrics help set expectations and requirements for staffing,
04:14
funding and other resource is for each phase.
04:16
Many programs stall or fail because the scope of a fully baked I D P was way more than a small team with limited resource is could ever handle
04:28
executive buy in and support.
04:30
Don't forget your internal customers,
04:32
your executive sponsor and any other senior leaders. Stakeholders need to be fully aware of the phase approach, milestones and outcomes at each stage of the program.
04:44
Getting alignment here will pave the way for success.
04:46
It also helps when requesting help or when any unplanned deviations may occur,
04:53
being able to show exactly where and why. Timelines. Air changing against a pre defined timeline always helps leaders understand program needs and pain points.
05:03
Now that we know why we should use phases and how to prepare to define them,
05:09
what exactly should the phases B?
05:12
Ah lot is going to depend on your particular circumstances. Resource is and goals. However, there are some common phases you should consider.
05:21
Let's bring back Peter to look at some examples.
05:27
Addition of use cases.
05:29
This may be the most straightforward way to grow your program in a controlled way.
05:33
If you're insider threat program will eventually be designed to look for a broad set of insider risk vectors
05:40
such as data exfiltration, fraud, sabotage, etcetera.
05:44
Use these as de facto phases.
05:46
You could start with the use case that's most easily attainable. Given your current tools and available resource is, or you could start with the most important use case
05:56
deployment of new tools.
05:57
You may be thinking about acquiring new security tools to support your program.
06:01
This is another aspect ripe for diligent planning.
06:04
You can use phasing in a number of ways as it relates to tech tools.
06:10
For example,
06:11
start with existing tools and add net new tools over time.
06:15
Or acquire a new tool right away and deploy it incrementally
06:20
Role in your employee population gradually over time.
06:25
If you're looking at data, consider your source systems.
06:28
Maybe you can add those to your program piece by piece.
06:31
Integration of other stakeholders.
06:34
First impressions matter. If you're going to be engaging stakeholders to support your program, you may want to ensure your processes and tools are in a good state to inspire confidence and enable good coordination with others
06:48
trying to build a comprehensive insider threat program all at once.
06:54
Maybe a recipe for failure
06:57
with a phased approach. You can deploy and learn in a way that doesn't overwhelm and will prevent costly missteps
07:04
by having clearly defined success, criteria and metrics being appropriately resourced and staffed and with executive buy in and support,
07:15
you should be able to phase your approach in a way that suits your circumstances and goals.
07:21
Take the time to thoughtfully roll out your insider threat program and you'll be rewarded with success.
07:30
And that sounded like a terrible motivational poster, and Kyle's probably going toe
07:38
thanks so much.
Up Next