Podcast Transcription


Christine Izuakor:

Welcome to the Veriato Insider, a biweekly podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, a next-generation employee monitoring, and insider threat detection software provider. To learn more about how Veriato can help protect your company, check out veriato.com. I'm Dr. Christine Izuakor, your host for today's segment. And today's topic is covering a concept that is top of mind for many companies in today's day and age, and that is employee productivity during the remote era and how that may or may not tie into common security concepts like Insider Threat. We have a special guest with us today to cover this topic. Stacey Champagne is joining us. Stacey is an experienced cybersecurity expert who has worked across numerous cybersecurity functions, including leading insider threats programs everywhere from large companies like Blackstone to Capital One.

Christine Izuakor:

She earned a Master's Degree in Security Resilience Studies with an emphasis on cybersecurity policy from Northeastern University and also received an insider threat program manager certification at Carnegie Mellon. Stacey is also a certified forensic computer examiner. I could go on and on. So many credentials and so much experience and a wealth of knowledge here. But she's also big on making a difference. So I love this. She founded an organization called, Hackers in Heels, which is a company committed to attracting, advancing, and advocating for women in cybersecurity. Love all of it, and I'm super excited to have her here. So welcome Stacey and thank you for joining us.

Stacey Champagne:

Thank you so much. It's great to be here.

Christine Izuakor:

Awesome. So we're going to jump right in. Tell us a little bit more about who you are and your background?

Stacey Champagne:

Yeah. Thanks for your wonderful lead-in, I have a very multidisciplinary background in everything from the arts, to business, to international security, and of course, cybersecurity. I had actually spent a couple of years prior to pursuing the cybersecurity field where I was a visual information specialist for the US Intelligence Community. Those skills of being able to take information that is complex and things that you would have to be able to understand and pick up quickly and distill them into graphics that anyone could understand from, you know, someone in the military, to a member of Congress, all the way up to the President of the United States, those skills have helped immensely in cybersecurity because it's the same. It's the same sort of situation happening there, right? It's very complex, very fast-moving, you know, people need information quickly to make decisions.

Stacey Champagne:

And I've taken that skillset and really applied it to the specialization of insider threat. And with insider threat, that is something that, you know, while it sits in the cybersecurity, you know, function, oftentimes in an organization, again, it needs someone who can look at situations from all different perspectives to be able to assess what's going on with the person, because a, a person is multifaceted as well. And so working my way up from being an insider threat Analyst, to an Insider Threat Technical Investigator, gaining that technical experience as a Computer Forensic Certified Examiner, and then leading insider threat programs, it's been quite a ride this past (laughs) few years. And so next month I'll actually be joining a program at a large, well known global FinTech, and I'll be leading up their insider threat investigations there.

Stacey Champagne:

So, and like you had mentioned in the in-between now I've been working on two entrepreneurial ventures. The first one being Hackers in Heels, and the second one, you'll just have to wait for it to be announced. But it is related to insider threat and specifically this, Sip and Strategize, Networking Community that I co-founded and built out over the past year. We've had a couple of events where we gather, I think the last one we had upwards of 30 people virtually joining in and just talking about insider threat from the perspectives that we don't normally really get into when you're a part of industry groups. You know, industry groups kind of play it a little safe in regards to the topic matter, and we, we really dig into it and how, um, organizations are, you know, contributing to perhaps sometimes the insider threat risks in their organizations and also, how we can really bring everyone to the table to help address it within our companies.

Christine Izuakor:

It may sound like there are so many exciting things that we have to keep an eye out for coming out of, um, in your world soon. So definitely looking forward to hearing more about that. Um, and that's a good segue into, uh, one of... One of my first questions here. So you talked about some of the non-traditional ways that people might view, um, you know, insider threats or, or different security risks. So how are you seeing this remote era impact the concept of productivity in general?

Stacey Champagne:

Yeah, so I think first we have to define productivity. And so to me, productivity is an output. It's not the physical presence of someone at their keyboard or measured in time. And, you know, I think at times I feel like companies forget that. Now, has productivity taken a hit by remote work? I don't think many companies are in a position to determine that objectively. And I recognize that you know, lately, productivity has just been a hot topic and everyone has a take on it. And so I'm, I'm effectively saying, like, I don't know if we can really comment on that to say we're more or less productive now than this time a year ago would require us to have actually measured productivity back then. Um, and then also just the environment of how things were a year ago, we're not operating in the same environment.

Stacey Champagne:

So when anyone really comments on a workforce being more or less productive during this time, I believe they're largely commenting based on personal feelings rather than facts. And so the way I see this remote era impacting productivity is an increase in management accountability to define what success is for their teams. So really, you know, the impact is we're expecting managers to actually act like managers. The teams, in turn, are evaluated by whether they meet the criteria, not necessarily whether their online status was green for eight hours, you know, which is the in-office equivalent of people being at their desks. If we start measuring work this way now then maybe when we have the opportunity, if we want to go back to the office, we could judge whether or not people were truly more or less productive at home. Um, but for me, I think it's really hard to make any sort of objective judgments on, you know, how, how productivity has been impacted at this time.

Christine Izuakor:

Yeah. I completely agree. That's such a great point. It's this subjective, that notion or feeling, and I think that you really have to, to your point, have the data or the tools to measure that and, you know, track it over time to really define whether it's productive or not. So really great point there. Now, along those same lines, like do you view productivity concerns or issues, do you consider those insider threats and you know, why or why not?

Stacey Champagne:

Sure. So I see productivity issues as an indicator, not necessarily a threat in itself. So, in support of some of the points, I just made productivity issues can be bad management. It could be a sign of a health problem. It could be a sign of issues at home, uh, even a poor job fit. So, you know, in summary, productivity issues are a sign of an employee needing help one way or another.

Stacey Champagne:

And if the employee gets that help, they may find themselves pushed further down, uh, you know what we call in insider threat practice as the critical path, where, you know, certain things happen in their life, whether it's caused by the organization or something personal or whatnot, where they're ultimately driven to take adverse action against the company because they've been, you know, abused by their manager, they need money, or they otherwise feel they're owed something that they didn't get.

Stacey Champagne:

And to drive this point in even more, uh, if an organization uses productivity data to approach an employee from a place of reprimand, rather than really trying to understand what's going on with the employee and, and help them out, then, I mean, I would say that the individual will definitely be pushed more towards committing a hostile act. Uh, and so that's why when I hear productivity coming up in conversation, I always really dig for the motivations behind the topic, um, to make sure that it's coming from a positive, helpful place, because I get so nervous and concerned about what people actually plan to do with that information.

Christine Izuakor:

Yeah. It's concerning to me when people get approached without having that sense of, I would say empathy or that sense of really trying to understand what's the fundamental issue here. Because you're right, there are so many different sources and so many different variables to why someone might be, uh, productive and it's not always malicious or intentional, at least not in the beginning. It can lead to that in some cases to your point. But I think going in with that open mind and a priority of helping and coming from a good base definitely makes a difference. So what are some unique implications that a lack of productivity for, you know, whatever the fundamental reason might be or the cause? Um, what are some implications that can have on security within the company, and, uh, are there any, um, examples that you can share?

Stacey Champagne:

Yeah, sure. So all actors internal and external bank on the watchers, the security team not paying attention. So if you have a distracted workforce, I mean, and even watchers can be defined as the everyday people, anyone who's touching your endpoints, anyone who's on your laptops, who's using your mobile devices. Uh, if you have a distracted workforce, you may find yourself with an uptick in successful phishing attempts. People just aren't paying close attention. You know, someone flipped just a letter and a URL, and while they were watching the kid, they clicked on the link and one thing led to another. So, you know, there's that.

Stacey Champagne:

There's also just tired eyes, reading activity logs can miss events. And then especially, you know, to really be specific to insider threat, if there are personnel investigations that are taking too long, so say someone reported something to HR, leaving an employee in limbo for a resolution that delay could be interpreted by the employee as a lack of care, and then inspire them to take some sort of adverse action.

Stacey Champagne:

So, you know, "My manager is doing XYZ," or, "I need help with this," or, "Something was processed improperly and now they're taking, you know, four weeks to resolve it. Does this company even care about me? I'm going to take what I'm due and leave," uh, you know, all of those, all of that rationale could potentially play out due to, you know, just a strained workforce.

Christine Izuakor:

It's the same theme that I'm hearing build up here is caring and you know, that sense of empathy and really focusing on the human side of things, especially when you're talking about insider threats. So what advice do you have for businesses that are struggling with managing productivity in their workplace?

Stacey Champagne:

Yeah. So make sure the concern is coming from and focused on the right places. As you've reiterated empathy, that's definitely the theme of the conversation, care. Too often, productivity or lack thereof is blamed on the employee, but I believe that productivity is really on the manager and on the organization. What are they doing or not doing to affect the success of their employees? So we see this in insider threat as a whole. So everyone thinks that the point of an insider threat program is to "catch bad people," but that's not it. Our goal is to help organizations help their employees by showing them where and how these people are ending up on the critical path and working together to try to get them off of it before they actually do steal the data, break the computer, or harm a coworker.

Stacey Champagne:

Because otherwise, it's like expecting the main purpose of, you know, let's just take your traditional, regular, external-facing cybersecurity team. If we were expecting their job just to be clean up malware, we all know that's not how those teams operate today. Yeah, that comes with the job. But 95% of what I see a typical, you know, security operations center or threat management team doing is all these other activities to make sure the malware doesn't get into the systems in the first place. It should be the same approach and the same mindset and strategy with insider threats.

Christine Izuakor:

Really good point there. There's so much that we've, um, covered here and so much insight. Is there anything else that you wanted to add as we wrap up?

Stacey Champagne:

Just thank you so much for inviting me here to share my thoughts on this topic with you and the listeners.

Christine Izuakor:

Awesome. Well, Hey, thank you so much for joining us again. This has been a pleasure. We've learned, um, so much in such a short amount of time. Uh, that concludes the Veriato Insider Podcast for this week. Again, this podcast has been brought to you by Veriato, an award-winning cybersecurity company recently recognized with the Gold Award for Best Insider Threat Solution in 2020. Their solutions are anchored around four core pillars of cybersecurity protection, including employee monitoring and web filtering, workplace investigations, insider threat detection, and also ransomware support. So again, to learn more about how Veriato can help protect your company, check out veriato.com. Thanks, everyone for tuning in and a special thank you again to Stacey for joining us and sharing so much valuable insight.

Stacey Champagne:

Thank you so much.

Christine Izuakor:

I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up, and it's been our pleasure to share these insights with you. So until next time, stay safe and secure.

 


Listen To Podcast