Advent IM, MD, Mike Gillespie gives us his thoughts on the ongoing role pastoral care plays, post vetting when it comes to insider threat.
Every business needs them. Every business spends money and time sourcing, training and moulding them. Some businesses even put them through a rigorous vetting system. But because we are human, our belief systems, allegiances and circumstances can and frequently do change. When we carry out vetting, it is correct at current only at that time. Understanding that our staff and colleagues may all be dealing with change in their lives that could well impact how they do their job, is very important.
Thankfully, people are diverse and whilst that means a one size fits all approach to ongoing pastoral care, is not going to work, it does mean we get an equally diverse variety of approaches, solutions and innovations. But everyone need to be and most importantly feel cared for; to be kept engaged, to emotively connect and expound a set of corporate core values that they genuinely believe in. Keeping on top of that is challenging but ultimately worth it and it we are talking about insider threat then it is nothing short of vital. When we take our eye off this particular ball, the disaffected or malicious insider can strike using the motivation that the business has potentially failed to harness and channel. Of course, this doesn’t apply to insiders who have specifically targeted an organisation with a goal in mind, though you would hope that other vetting or ongoing care would help in spotting the warning signs. These signs can indicate a change in ideology or allegiance, perhaps a conflict is causing a change in personality. In an organisation where the ability to spot this is encouraged, the chances of it being addressed is far greater and therefore helps to lessen the risk of it going further.
In fact a huge part of the security solution is provided not through ever increasing layers of technology technology, not through greater or tougher controls, but rather through effective and people-centric leadership. Those leadership skills need to be apparent and evidenced throughout every layer of an organisation.People need to know what physical and cyber controls are important in protecting our information assets, but they also need to want to do it. These continuously growing skills and motivation combined, make for a powerful layer of protection that is both effective and nuanced. This all has to be part of a living, iterative process of continuous awareness linked with an ongoing development of a culture of empowerment, trust and belonging, fostered by leaders across the business
System monitoring, if it is explicit and transparent, is a valuable part of detecting unusual or malicious activity, just as it is in detection of malicious external attack and incursion. Monitoring is only going to be useful if it is implemented with a clear understanding of what is to be detected AND what the appropriate response mechanism to the threat is. Also monitoring needs to be balanced in order to make sure staff do not feel surveilled, which in turn could lead to lower engagement or even grow into disaffection. You could also ask is it ethical not to exercise a monitoring policy if it can help protect your or your customers’ information assets. As with all controls it needs to be proportionate and effective without being invasive or obstructive to the users. (If you are concerned about ethical or legal issues around staff monitoring, see our presentation on Effective Employee Monitoring. You will need sound.)
- Posted by Ellie Hurst
- On 19th September 2016
- 0 Comments