In this podcast we explore steps to take to set up and run an insider risk management program. We talk about specific organizations to collaborate with, and top risks to address first. We hear directly from an expert with three decades of experience setting up impactful insider risk management programs in government and private sector. Episode Transcript: Introduction: Welcome to Uncovering Hidden Risks. Raman Kalyan: Hi, I'm Raman Kalyan, I'm with Microsoft 365 Product Marketing Team. Talhah Mir: And I'm Talhah Mir, Principal Program Manager on the Security Compliance Team. Raman: Talhah, episode five, more time with Dawn Cappelli, CISO of Rockwell Automation. Today, we're gonna talk to her about, you know, how to set up an effective insider risk management program in your organization. Talhah: That's right. Getting a holistic view of what it takes to actually properly identify and manage that risk and do it in a way so that it's aligned with your corporate culture and your corporate privacy requirements and legal requirements. Really looking forward to this, Raman. Let's just jump right into it. Talhah: Ramen and I talk to a lot of customers now and it's humbling to see how front and center insider risk, insider threat management, has become, but at the same time, customer are still asking, "How do I get started?" So what do you tell those customers, those peers of yours in the industry today, with the kind of landscape and the kind of technologies and processes and understanding we have about the space, what kind of guidance would you give them in terms of how to get started building out an effective program? Dawn: So first of all you need to get HR on board. I mean, that's essential. We have insider risk training that is specifically for HR. They have to take it every single year. So we have our security awareness training that every employee in the company has to take every year, HR in addition has to take specific insider risk training. So in that way we know that globally we're covered. So that's where I started, was by training HR, and that way the serious behavioral issues, I mean, IP theft is easier to detect, but sabotage is a serious issue, and it does happen. Dawn: I'm not going to say it happens in every company, but when you read about an insider cyber sabotage case, it's really scary, because this is where you have your very technical users who are very upset about something, they are angry with the company, and they have what the psychologists called personal predispositions that make them prone to actually take action. Because most people, no matter how angry you are, most people are not going to actually try to cause harm, it's just not in our human nature. Dawn: But like I said, I worked with psychologists from day one, and they said, "The people that commit sabotage, they have these personal predispositions. They don't get along with people well, they feel like they're above the rules, they don't take criticism well, you kind of feel like you have to walk on eggshells around them." And so I think a good place to start is by educating HR so that if they see that, they see someone who has that personality and they are very angry, very upset, and their behaviors are bad enough that someone came to HR to report it, HR needs to contact, even if you don't have an insider risk team, contact your IT security team and get legal involved, because you could have a serious issue on your hand. And so I think educating HR is a good to start. Dawn: Of course, technical controls are a good place to start. Think about how you can prevent insider threats. That's the best thing to do is lock things down so that, first of all, people can only access what they need to, and secondly, they can only move it where they need to be able to move information. So really think about those proactive technical controls. Dawn: And then third, take that look back, like we talked about Talhah, take that look back. Pick out just some key people, go to your key business segments and say, "Hey, who's left in the past" I mean, as long as your logs go back, if they go back six months, you can go back six months. But just give me the name of someone who's left who had access to the crown jewels, and just take a look in all those logs and see what you see. And you might be surprised. Talhah: Yeah, and on this look back piece, Dawn, we're actually hearing that from our customers quite a bit in that, the way they kind of frame it is that, "Why don't you give me an idea, with technology, can you give me some sort of an idea that you can look through some of the logs I already have in the system, parse through that, to give me an insider risk profile, if you will, of what's happening, what looks like potential shenanigans in the environment, so I can get a better sense of where I need to focus and what kind of a case I need to make to my executive sponsor so I can get started." So that's definitely something we're thinking ...
