Organizational culture cannot be regulated into existence. Is your company insider threat program looking for bad apples or bad barrels?
The importance of effectively managing insider threat and conduct risk cannot be understated. Yet most businesses and agencies under-estimate the need for alignment of people – management and leadership – to understand what they are agreeing to when the business sets up an insider threat program. Security and risk officers must establish foundational areas
of management cohesion and agreement – or risk wasting the program investments.
Today’s companies face immeasurable enterprise-level challenges related to insider threats. These threats must be managed across multiple service and business verticals, and their respective security teams. Each business unit has unique work and security cultures who must comply with known risks, defend against emerging risks, and optimize for unknown risks.
Alongside, mission support functions engage with each business line in different ways, and simultaneously with individual employees daily, weekly, and annually. Understanding these internal, as well as customer frontline touchpoints, can reveal new insights to enterprise executives about insider threat and culture.
For some organizations, the resulting impact of any past breaches has not been significant enough to damage their brand, infrastructure, or the livelihood of individual employees.
However, given the current environment, for an organization’s brand, and the scale of their enterprise, now is the time for an enterprise-wide technical and cultural assessment and approach to risk mitigation, especially for security threats.The emphasis on culture here is imperative, as technical solutions to insider threat awareness and prevention are only part of the opportunity.
The Clearing’s Value Proposition
We stand for integrated communications which engender an enthusiastic and contagious grassroots movement for a culture of safety and security. Given the risk level that organizations face today, our assessment and design for effective adoption includes:
- Holistic view of insider threat profile for enterprise-wide and by key business line
- A detailed assessment of key issues, including areas where the multiple security organizations are struggling to identify and strengthen existing synergies; recommendations will identify new areas of safety and security collaboration
- System models of how information, people, and money flow, for business use cases
- Core team alignment on definition, scope, and key business-driven milestones expected within 18-24 months
- Development of insider threat policy and/or recommended changes to current policy
- Case management support customized to support goals
- Communications and change strategy roadmap to define the culture of safety and security that the enterprise wishes to achieve, including the role of the insider threat program within that context
The Clearing’s Methods
Our methods include techniques for assessing culture, including how information and decisions in one area of the business may increase risk in another part. In response to our detailed assessment of the necessary requirements and culture, we propose a human-centered approach to engaging employees in threat prevention and management.
The degree of risk involved in scaling growth has yet to be calculated at an enterprise level. We facilitate collaborative working group discussions about an enterprise’s risk. For large organizations, diverse risk factors need to be detailed per each unit, even as there are universal threats against an organization’s data, people, assets, liquidity, and freedom to innovate.
Leaders can have the tough and critical enterprise-level conversations about consequences and behavioral shifts required to address the fewest, most important interventions for universal security and employee safety.
Together we help leadership teams galvanize CONSENSUS around the fewest and most important standards and norms which an organization’s full community must adopt to reduce the company’s risk profiles.
- 31% of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
- Since the financial crisis, the banking industry has paid an estimated US$350 billion to US$470 billion in penalties (including fines and litigation/settlement charges) for conduct-related matters, evidence that these so-called soft people issues can significantly impact the bottom line. (G30)
- The average cost of a malware attack on a company is $2.4 million. (Accenture)
- The average cost in time of a malware attack is 50 days. (Accenture)
- 21% of all files are not protected in any way. (Varonis)