The ever-evolving nature of insider risk management (IRM) has led to questions about where the program should sit within an organization to maximize its effectiveness. The answer seems to be clear: the program should reside within the information security realm. At a recent Insider Threat Summit, it was agreed that the information security department is best equipped to handle the task as it is where all data resides. The focus of IRM programs varies based on where they are situated within the organization. IT/Infosec/CISO carries a technology-forward bent, HR or legal has a more human bent, while physical security places an emphasis on the physical facilities.
In a study of 18 industry organizations, MITRE found that insider risk programs were owned by general counsel or the legal department, human resources, information security, security and/or threat management, or risk management. The choice is still important as it impacts the program’s mission, access, and priorities.
According to Joe Payne, CEO of CODE42, an IRM program should have a “leadership team of CISO, chief of HR, and general counsel.” While more than half of IRM programs reported directly to a member of the C-suite, CEOs would prefer to have positive messaging around these programs as they do not want to project negativity towards their employees. CISOs also do not enjoy monitoring their colleagues, leading to the idea of spreading ownership of IRM programs.
A close-knit collaboration between the legal, HR, and information security teams is essential regardless of where the IRM program resides. The provision of facts and evidence in a consumable and easy-to-understand fashion is key to the success of an accurate investigation when time is of the essence.
An IRM team reporting to legal can earmark each case as having a sponsor – the entity that is levying the charges. The IRM team can then pull in resources from IT/infosec, security, finance, etc. to acquire the facts and evidence. This approach filters out bias and results in a consistent playbook in addressing each and every investigation.
The bottom line is this: if an organization is going to accuse an employee of stealing data, they need to do so with a high degree of confidence based on facts. IRM programs should be handled by a team that can work collaboratively and efficiently to acquire and analyze data. By leveraging the strengths of various departments, IRM programs can minimize risks and protect an organization’s sensitive data and assets.