It’s become almost impossible to ignore the rapidly growing problem of insider risk. Employees are 85% more likely to leak or lose data than pre-pandemic, and the typical organization is experiencing 13 data exposure events per user, per day. It’s also painfully clear that conventional data security tools like data loss prevention (DLP) and cloud access security broker (CASB) just can’t handle the challenge. These old tools aren’t effectively stopping data loss — and their rigid, over-zealous blocking is impeding productivity and collaboration that’s critical to the business. More and more organizations recognize they need to do something different about growing insider risk. But the key questions are what — and how?
Radical change doesn’t have to be difficult
Organizations need a smarter approach to data protection that addresses the complexity and nuance of insider risk. Gartner has recognized the new category of Insider Risk Management (IRM). IRM is a fundamental paradigm shift in the way an organization thinks about insider risk and data protection — from a black-and-white view of threats that must be stopped, to the deeply nuanced view of risks that must be managed effectively. Here, we offer five steps to shift to IRM.
Step #1: Identify where your risks are.
You can’t manage what you can’t see. Gaining broad and deep visibility across all data activity is the first step in making the shift to an IRM approach. The typical organization today has big blind spots, often around remote devices, off-network activity and unauthorized shadow IT apps. You need to start by charting out what you don’t know — all of these blindspots — in order to ensure that the tools and technologies you put in place give you the visibility to bring all data activity into the light.
Step #2: Determine your risk tolerance.
A core part of IRM is the move from a conventional “risk prevention” model to the more modern “risk tolerance” paradigm for data security. Today, nearly every organization now acknowledges they must tolerate some level of insider risk in order to enable the agility, speed and innovation required to survive and thrive in today’s business climate. To effectively prioritize and rapidly respond to insider risks, the security team needs to go define or rank the severity of the high-risk events already on your list — and ensure they have the technical ability to detect and respond when these high-risk incidents occur. Some of the most common high-risk events include things like moving source code to thumb drives or exfiltrating Salesforce reports, but the risk indicators will be unique to your organization.
Step #3: Create, publish and promote data using governance policies.
We all know that users do not reliably and consistently follow policies. It’s essentially the root of the insider risk problem. But, viewed from the user point of view, the problem is that policies don’t address the realities of how they work today. In other words, because most organizations have huge blind spots in terms of how users are actually moving data, their policies don’t even begin to provide useful guidance on “safe” use. You need to create modern data use governance policies that account for the real use patterns you can now see clearly. Effective policy should go beyond a list of approved (and unapproved) apps. You should provide helpful, relevant guidance and basic best practices for how users can generally navigate the movement of data in the cloud, on remote devices and on- and off-network — safely.
Step #4: Work with business partners to streamline, automate & accelerate risk response.
IRM is an approach that requires buy-in from more than the security team. This stakeholder engagement is key in defining and prioritizing insider risks — business unit leaders are the ones that know best what is most critical, sensitive and valuable to the organization. But it’s also essential to driving effective response when risk does occur. The goal is to move away from ham-fisted blocking. Taking a more nuanced, right-sized approach often means bringing in business partners from HR, Legal and IT to drive that right-sized response.
Step #5: Set goals and measure success criteria.
For the shift to IRM to be successful, you need to define what success will look like. That goal-setting process should start more abstract: define your key business-wide objectives and connect them with how insider risk impacts or impedes them. Then, go deeper and establish metrics that you can use to monitor, report on and ultimately define progress toward your goals. These metrics will help you show key stakeholders, all the way up to the C-suite and board of directors, that your IRM program is driving tangible change and measurable value that directly aligns with top-level business objectives like productivity, speed to market, brand reputation and even revenue and growth.
When you see insider risk, you can’t look away
There’s no doubt that making a major change in the way you think about and respond to insider risk is daunting. For organizations that have made this transition, taking that first step — seeing their insider risk in its full breadth and depth — kickstarts and accelerates the entire process, helping them define their goals, prioritize their biggest risks, and get buy-in up and down the chain. Because when you see just how big your insider risk really is, it’s hard to look away.