Insider Risk Management Programs Require Critical Thinking, Training, and a Culture of Trust

Christopher
Christopher Burgess
Sep 22, 2023
Learn more
Christopher Burgess cybersecurity Global Security Exchange GSX 2023 risk management security threats

 

Understanding human vulnerabilities is one lesson in the strategic process of building insider risk management programs that work, and truly understanding those vulnerabilities means establishing a culture of empathy and trust among an organization or company. With threats ever-present, it’s critical that chief security officers understand what’s at stake and what can generate success.

In a recent cyberattack that sent shockwaves through the gaming industry, the renowned resort and casino MGM Grand in Las Vegas fell victim to the ransomware group ALPHV, also known as BlackCat. Using a mere 10-minute social engineering tactic, the group exploited MGM’s systems by targeting an employee through LinkedIn and deceiving the Help Desk. This breach, which disrupted operations across multiple MGM Resorts International properties in the U.S., underscores the vulnerabilities even large corporations face. This incident is a stark reminder of the escalating threats in the digital age. As such, the pressing need for building effective insider risk management programs has never been more evident.

At the Global Security Exchange’s GSX 2023 event in Dallas, Texas, Christopher Burgess, former intelligence community professional and a tenured security industry writer and consultant, spoke at a session on “The Trusted and Valued Insider (Threat)”. Burgess broke down his session that focused on several critical elements of building a solid insider risk management program.

Christopher’s Thoughts

“When you’re dealing with insider risk management, the individual is valued, and we must be absolutely sure before we go about saying this person is doing this in a malevolent manner. We have to show benevolence in our investigations because you’re dealing with people’s lives.

I began my session by posing a few questions to my audience. Firstly, I inquired about the number of attendees who had a working insider risk management program. About half the audience responded positively. When asked about the success of their programs, all hands remained raised. However, when questioned about false positives in their programs, where individuals were wrongly identified as risks, about half raised their hands. This was the crux of my presentation. It’s essential to understand that individuals often act benevolently, trying to do their best. Sometimes, they might deviate from the norm, not out of malice, but due to poor judgment or understanding.”

The Importance of Transparency

“Transparency is crucial in monitoring and surveillance. Employers should be open about the tools they use, their purposes, and their methods. This transparency builds trust and ensures that employees understand the reasons behind such surveillance.”

Pseudonymization vs. Anonymization

“I delved into the topic of pseudonymization, distinguishing it from anonymization. While anonymization ensures that one cannot trace back to the individual responsible for an action, pseudonymization allows for a level of traceability. This method ensures unbiased analysis while maintaining a degree of privacy.

Toward the end, I discussed the structure of an insider risk management program. Where such a program sits within a company can significantly influence its operation. I touched upon various departments like risk management, IT, InfoSec, HR, physical security, and legal. Personally, I believe such a program should reside within the legal department.”

A Personal Experience

“I shared a personal experience from my time at the Central Intelligence Agency. Being wrongly accused and later exonerated during the Hansen investigation was a harrowing experience. Such incidents underscore the importance of thorough and benevolent investigations.”

Starting an Insider Risk Management Program

“The first step in establishing an insider risk management program is determining its placement within the organization. The investigator must be trained adequately and possess critical thinking skills. It’s essential to foster a culture of trust and not one of suspicion. Leadership buy-in is crucial. Without it, implementing such a program becomes an uphill battle.

Using MGM and the New York Knicks as examples, I highlighted the importance of being proactive rather than reactive. In MGM’s case, a simple oversight by the help desk led to a significant breach. The New York Knicks, on the other hand, had an insider risk program that was reactive, which resulted in intellectual property theft. Successful programs need to anticipate potential risks and act before they materialize.”

Article by James Kent

Follow us on social media for the latest updates in B2B!

Image

Latest

sterile compounding
Sterile Compounding and Contamination Control with Abby Roth
March 11, 2025

In this episode of Exceeding Your Benchmark, host Michelle Dawn Mooney speaks with Abby Roth, founder of Pure Microbiology, about sterile compounding and contamination control. Abby shares her expertise in microbiology, sterile environments, and best practices in pharmaceutical compounding. The conversation begins with a distinction between traditional drug manufacturing and sterile compounding, highlighting the…

Read More
hearing test
Convenient Online Hearing Test from HearUSA Enhances Your Hearing Health Journey
March 11, 2025

Struggling to hear conversations could be more prevalent than you think. As a leader in hearing care, HearUSA offers an easy solution that you can manage from the comfort of your home: the HearUSA Online Hearing Test. Experience the Simplicity This quick, free, and convenient online test is designed to examine your hearing in…

Read More
Lessons from Gen Z: Why Marketers Need to Adapt to Current Digital Trends
Lessons from Gen Z: Why Marketers Need to Adapt to Current Digital Trends
March 7, 2025

On this episode of UGC for B2B, hosts Hunter Lopatin and Jamison Wheeler take over for a special Gen Z edition, breaking down why big brands struggle to embrace user-generated content (UGC) and how the next generation is reshaping the marketing landscape. As a former NCAA athlete and current B2B marketing professional, Jamison shares firsthand…

Read More
Stephanie Simon
Through the Storm with USMC Captain, Professional Boxer, and TrailBlazer, Stephanie Simon
March 7, 2025

Captain Stephanie Simon (USMC) is currently a professional boxer (2-0), a boxing instructor, and a Marine Corps reservist. She is the 2024 Olympic Trials Boxing Champion, 4x Elite National Boxing Champion, 3x National Collegiate Boxing Champion, and United States Marine Corps Boxing Hall of Famer. Stephanie Simon is originally from Atlanta, GA, grew up…

Read More
Related
Stephanie Simon
Software & Technology
Through the Storm with USMC Captain, Professional Boxer, and TrailBlazer, Stephanie Simon
March 7, 2025
Email Marketing
Healthcare
The Science of Email Success: Secrets to Higher Open and Conversion Rates
March 6, 2025

Email marketing is often underestimated, yet it remains one of the most powerful tools for businesses to engage with their audience. Research shows that for every $1 spent on email marketing, an average return of $42 is expected. However, many professionals misunderstand what email can truly accomplish and fail to harness its full potential….

Read More
From Control to Community: Why Big Brands Struggle with UGC
Healthcare
From Control to Community: Why Big Brands Struggle with UGC
February 27, 2025

In this episode of UGC for B2B, host Alice Iversen sits down with Bridget Benedetti, a former MarketScale client turned Digital Media Strategist, to discuss the massive shift from traditional marketing to an authentic, user-generated approach. Bridget shares her firsthand experience of watching MarketScale evolve from a content provider into a full-fledged UGC-driven powerhouse—one…

Read More