It’s become almost impossible to ignore the rapidly growing problem of insider risk. Employees are 85% more likely to leak or lose data than pre-pandemic, and the typical organization is experiencing 13 data exposure events per user, per day. It’s also painfully clear that conventional data security tools like data loss prevention (DLP) and cloud access security broker (CASB) just can’t handle the challenge. These old tools aren’t effectively stopping data loss — and their rigid, over-zealous blocking is impeding productivity and collaboration that’s critical to the business. More and more organizations recognize they need to do something different about growing insider risk. But the key questions are what — and how?
Organizations need a smarter approach to data protection that addresses the complexity and nuance of insider risk. Gartner has recognized the new category of Insider Risk Management (IRM). IRM is a fundamental paradigm shift in the way an organization thinks about insider risk and data protection — from a black-and-white view of threats that must be stopped, to the deeply nuanced view of risks that must be managed effectively. Here, we offer five steps to shift to IRM.
You can’t manage what you can’t see. Gaining broad and deep visibility across all data activity is the first step in making the shift to an IRM approach. The typical organization today has big blind spots, often around remote devices, off-network activity and unauthorized shadow IT apps. You need to start by charting out what you don’t know — all of these blindspots — in order to ensure that the tools and technologies you put in place give you the visibility to bring all data activity into the light.
A core part of IRM is the move from a conventional “risk prevention” model to the more modern “risk tolerance” paradigm for data security. Today, nearly every organization now acknowledges they must tolerate some level of insider risk in order to enable the agility, speed and innovation required to survive and thrive in today’s business climate. To effectively prioritize and rapidly respond to insider risks, the security team needs to go define or rank the severity of the high-risk events already on your list — and ensure they have the technical ability to detect and respond when these high-risk incidents occur. Some of the most common high-risk events include things like moving source code to thumb drives or exfiltrating Salesforce reports, but the risk indicators will be unique to your organization.
We all know that users do not reliably and consistently follow policies. It’s essentially the root of the insider risk problem. But, viewed from the user point of view, the problem is that policies don’t address the realities of how they work today. In other words, because most organizations have huge blind spots in terms of how users are actually moving data, their policies don’t even begin to provide useful guidance on “safe” use. You need to create modern data use governance policies that account for the real use patterns you can now see clearly. Effective policy should go beyond a list of approved (and unapproved) apps. You should provide helpful, relevant guidance and basic best practices for how users can generally navigate the movement of data in the cloud, on remote devices and on- and off-network — safely.
IRM is an approach that requires buy-in from more than the security team. This stakeholder engagement is key in defining and prioritizing insider risks — business unit leaders are the ones that know best what is most critical, sensitive and valuable to the organization. But it’s also essential to driving effective response when risk does occur. The goal is to move away from ham-fisted blocking. Taking a more nuanced, right-sized approach often means bringing in business partners from HR, Legal and IT to drive that right-sized response.
For the shift to IRM to be successful, you need to define what success will look like. That goal-setting process should start more abstract: define your key business-wide objectives and connect them with how insider risk impacts or impedes them. Then, go deeper and establish metrics that you can use to monitor, report on and ultimately define progress toward your goals. These metrics will help you show key stakeholders, all the way up to the C-suite and board of directors, that your IRM program is driving tangible change and measurable value that directly aligns with top-level business objectives like productivity, speed to market, brand reputation and even revenue and growth.
There’s no doubt that making a major change in the way you think about and respond to insider risk is daunting. For organizations that have made this transition, taking that first step — seeing their insider risk in its full breadth and depth — kickstarts and accelerates the entire process, helping them define their goals, prioritize their biggest risks, and get buy-in up and down the chain. Because when you see just how big your insider risk really is, it’s hard to look away.
Get the free daily newsletter read by industry experts
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
The biggest and baddest ransomware groups love an easy vulnerability.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
The biggest and baddest ransomware groups love an easy vulnerability.
The free newsletter covering the top industry headlines

source