Insider threat covers a wide range of risks, and there are many resource is or guides available to you.
Some may have a broader scope, and some may have a more sophisticated approach than you need for your organization,
Not on Lee. Can These resource is be overwhelming, but trying to build a comprehensive insider threat program or I t P all at once,
maybe a recipe for failure
to help with this clearly define a few phases in the maturity or capability of your program based on your objectives.
It's okay to start with the low hanging fruit or the most basic use cases.
It's these initial phases that will help you test and refine your processes. So let's hear from Peter Hodja, Georgia, on how an incremental approach can help drive success.
Failure to launch it could be the death sentence of a fledgling insider threat program.
But how does it happen? And how can you avoid the common mistakes that get people stuck?
A phased approach leads to incremental learning about a variety of important subjects.
First and foremost, you will learn about the priorities, use cases and organizational considerations that will have an impact on your program.
Those crown jewels you identified turns out no one else thinks they're important,
that great data feed that was going to tell you about all file activity.
Turns out that tool doesn't work and it's being decommissioned.
The great use case about fraud
turns out the Finance Department already has a fully baked solution for it.
These might be frustrating items to come across during a research and design phase of your program,
but wouldn't it be much worse to find out during your deployment phase after Ah, whole lot of costly and time consuming decisions had already been made,
avoiding costly errors and purchasing and tool selection?
Easier said than done.
It's easy to jump into a purchase when a particular vendor or security provider seems to have the magic bullet for insider threat.
Here it code 42. We feel like we have an excellent solution for many customers,
but we acknowledge that we don't do everything.
Success for both insider threat programs and security vendors is a result of good research,
transparency of needs and capabilities, and lots of planning and collaboration.
With a phased approach, you could be methodical in your vendor selection and ensure that you have a thorough understanding of technical requirements and dependencies.
It also gives you time to assess your current security stack and determine how to leverage existing investments
and identify complimentary tools that will integrate well with current infrastructure.
what should you do when defining your phases
Without getting too tied up in all the elements of a successful phased approach,
it's worth mentioning a couple of the elements that will help define and scope each phase
clearly defined success, criteria and metrics.
The idea behind the phases is to more narrowly define what you need to accomplish and be hyper focused on those objectives.
You should try to be as specific as possible with measurable outcomes.
It's worth looking up the smart goals method, if you aren't familiar with it. Specific,
relevant and time based. Smart.
Your success criteria should also include the milestones or benchmarks that must be met in order to proceed to the next phase.
Don't get ahead of yourself
being appropriately staffed and resourced.
Having clearly defined success, criteria and metrics help set expectations and requirements for staffing,
funding and other resource is for each phase.
Many programs stall or fail because the scope of a fully baked I D P was way more than a small team with limited resource is could ever handle
executive buy in and support.
Don't forget your internal customers,
your executive sponsor and any other senior leaders. Stakeholders need to be fully aware of the phase approach, milestones and outcomes at each stage of the program.
Getting alignment here will pave the way for success.
It also helps when requesting help or when any unplanned deviations may occur,
being able to show exactly where and why. Timelines. Air changing against a pre defined timeline always helps leaders understand program needs and pain points.
Now that we know why we should use phases and how to prepare to define them,
what exactly should the phases B?
Ah lot is going to depend on your particular circumstances. Resource is and goals. However, there are some common phases you should consider.
Let's bring back Peter to look at some examples.
Addition of use cases.
This may be the most straightforward way to grow your program in a controlled way.
If you're insider threat program will eventually be designed to look for a broad set of insider risk vectors
such as data exfiltration, fraud, sabotage, etcetera.
Use these as de facto phases.
You could start with the use case that's most easily attainable. Given your current tools and available resource is, or you could start with the most important use case
deployment of new tools.
You may be thinking about acquiring new security tools to support your program.
This is another aspect ripe for diligent planning.
You can use phasing in a number of ways as it relates to tech tools.
start with existing tools and add net new tools over time.
Or acquire a new tool right away and deploy it incrementally
Role in your employee population gradually over time.
If you're looking at data, consider your source systems.
Maybe you can add those to your program piece by piece.
Integration of other stakeholders.
First impressions matter. If you're going to be engaging stakeholders to support your program, you may want to ensure your processes and tools are in a good state to inspire confidence and enable good coordination with others
trying to build a comprehensive insider threat program all at once.
Maybe a recipe for failure
with a phased approach. You can deploy and learn in a way that doesn't overwhelm and will prevent costly missteps
by having clearly defined success, criteria and metrics being appropriately resourced and staffed and with executive buy in and support,
you should be able to phase your approach in a way that suits your circumstances and goals.
Take the time to thoughtfully roll out your insider threat program and you'll be rewarded with success.
And that sounded like a terrible motivational poster, and Kyle's probably going toe