Step 1 of 5 to Quantifying Insider Risk

by Mike Tierney | Feb 02, 2017

Involve the Right People

Risk around company data normally falls to someone within IT, the security team, or to the CISO, as these individuals will play a crucial role in quantifying and addressing insider risk. But, to properly assess the state of insider risk, as well as ensure suitable controls are responsively in place, you will need the perspective and assistance of a number of positions within your organization.


Executive Leadership

This should include the CEO or equivalent, who needs to understand both the risk that exists, as well as the specific actions that will be taken as a result of that risk. This is becoming a board level issue at many organizations – that’s how seriously cyber-security in general and the threat posed by insiders specifically should be taken. If your senior management is not engaging on this subject, view it as an opportunity for you to demonstrate real leadership within the organization. It will increase your value to the company while you deliver on the promise of greater security.


Human Resources

Someone at the head of your HR efforts will help balance the needs of the company to protect its’ assets and the concerns of the individual employee as controls are put in place. Additionally, involving HR unlocks a source of intel about your employees that you already have but aren’t using to identify risk. HR knows about changes in employee productivity, personal issues, etc. – all that can provide context around where your focus should be. There are ways to do this without compromising employee privacy.



Your general counsel, or external legal resource will be utilized to draw up specific documents as part of this process, helping to ensure the company takes the necessary compliance steps as controls are put in place, and taking point in presenting evidence should legal action need to be taken.

There are obviously more roles within the organization that will become involved should you elect to implement technological solutions designed to help detect, and reduce the resources needed to investigate, insider threats. These resources will depend on your organizational structure, and may report up to the CISO in an enterprise, or be part of IT in smaller and mid-sized organizations.


Once you’ve identified those individuals that need to be involved, the first step is to put some level of insider control in place on an employee’s first day of employment.