Now that the federal government and national industrial security partners have had a few years to think about, experiment with, argue over and research the perfect insider threat program, virtually all have reached the same conclusion: there’s actually no such thing as a perfect insider threat program. It’s also easy to conclude there’s no “one size fits all” insider threat program. One is tempted, therefore, to determine that the best course of action is to tap the brakes on full program implementation until someone else figures it out. But with EO 13587 and NISPOM Conforming Change 2 mandates, that’s obviously not an option.
There’s no doubt a fully-effective insider threat program is very difficult to develop. I liken it to a hundred-piece jigsaw puzzle someone dumps on a table, then takes away the box with the picture on it. You know all the pieces are there, you just don’t know which pieces fit with the others, nor do you necessarily know what the big picture is supposed to look like once it’s fully-assembled.
An effective insider threat program has many possible pieces: facilities access records, onboarding documents, counterintelligence reports, user activity monitoring, overseas travel activities, legal and privacy oversight, financial and public records, and many more, all of which require a sustained effort to manage cohesively.
The National Insider Threat Task Force (NITTF) and the National Industrial Security Program Operating Manual (NISPOM) are two excellent sources for how government and industry partners can implement an effective insider threat program. They both give you a partial view of what your “insider threat puzzle” could look like at full program implementation.
Perhaps the most important aspect of an effective program – organizational and program leadership –is left up to the customer. What’s your organizational culture now and what do you want it be at full program implementation? How do you juggle individual 4th Amendment rights with organizational (and even national) security concerns? How do you know you’re complying with existing laws that regulate the use of external data, like financial and public records, to support your program?
Insider Threat Program leadership and legal considerations are but two of the topics we’ll explore in Washington, D.C., on May 10 at the Insider Threat and Continuous Evaluation forum hosted by TransUnion and facilitated by the Insider Threat Alliance. We welcome your thoughts and ideas on how your organization is building out its insider threat program and will consider them for future insider threat-related blogs.
In the meantime, keep looking at those pieces and figuring out how they all fit together for your organization. The picture is becoming clearer with each discussion, and continued public-private engagements will only enable better and more innovative solutions in the near term.