I recently attended my first-ever Insider Summit (formerly the Insider Threat Summit) in Monterey, California. The event, in its ninth year, was attended by insider risk leaders, counterintelligence professionals, and current/former members of law enforcement and the US military. The heavy focus on people — not data or systems — was surprising to me. More specifically, there was an emphasis on addressing “the whole person” and focusing on employee wellness.

This underscores for me that insider risk is very much a human problem, not a technology problem, which doesn’t mean that technology does not help address human problems but rather that technology can only identify — not prevent — the symptoms of a person who is headed down the critical path leading to an insider incident. As Dr. Amanda Najjar pointed out during her talk, “We are all capable of becoming insider threats.”

Several speakers covered topics such as employee wellness and safety, which are key to reducing insider risk. Stressed users, after all, are risky users, as they are more likely to make mistakes, act maliciously, and succumb to external coercion.

The impact of geopolitics and state actors was another prevalent topic. Insiders are a constant target of state actors, and the volatile geopolitical environment is increasing that risk. Nations are looking for ways to gain an advantage and to acquire valuable intellectual property, and they are aggressively targeting insiders in their pursuits.

One topic in particular caught me off guard: suicide. One of the speakers, Dr. Deanna Caputo of MITRE, discussed suicide and the insider risk team’s ability to identify users at risk of suicide. She made the point that “suicide is an insider threat” because of its impact not only on the individual but the whole organization.

While the insider risk team isn’t directly responsible for monitoring for mental health or suicide risk, the tools and techniques that insider risk pros use might be useful for picking up clues that certain users are at risk or may be at risk of external adversaries targeting them.

My own talk focused on how insider risk and data security can work more closely together to guard against insider data exfiltration. Forrester Principal Analyst Heidi Shey and I codeveloped this approach for last year’s Security & Risk Summit. While insider risk teams focus on detecting and investigating insider incidents, data security teams focus on preventing data breaches. When the two teams collaborate, they can share information about the data at risk, the riskiness of individual users, and how insiders are trying to exfiltrate data. This “data intelligence cycle” creates a continuous feedback loop where insider risk and data security pros learn from each other and collaborate to stop data exfiltration. Heidi and I plan to publish this research later in the year.

Let’s Connect

Forrester clients can schedule an inquiry or guidance session with me to do a deeper dive on insider risk and learn how to start their own insider risk management program.