A senior official at a large organization once told me that they had caught an insider making mischief and causing harm to the organization. I was immediately interested — after all, it’s my line of work. But I was shocked when the official explained that since they fired the person, the organization no longer had an insider threat problem.
I’m sorry, could you repeat that?
Conclusions like this are misinformed and disturbingly commonplace. In the long term, they can cause more harm than the actions of any individual insider. I’ve been struggling with an analogy to use that will get through to some of these misguided leaders, and I think I’ve finally found one.
Insider threats aren’t a game, but still…
Recently, I’ve been playing classic arcade games as a form of stress relief. I’ve got my favorites, but one that I could never understand was Whac-A-Mole. What’s the point? Every time you hit a different mole, another one pops up. I always wanted to hit all of the moles at the same time and be done with it. No wonder the name has developed into "a colloquialism denoting a repetitious and futile task."
I can’t help but ask: Is the cybersecurity industry playing Whac-A-Mole trying to counter threats, especially insider threats?
Even with huge expenditures, we are not winning the battle against external and insider cyberthreats. Every day, we read another story of theft, ransom, loss of intellectual property, SCADA system attacks, and more. It’s just as frustrating to me that we only whack one cyber-mole at a time when it raises its head. Why can’t we hit them all at the same time and win?
Playing against the odds
One of the biggest factors preventing us from winning the game is the lack of leadership from the senior level. Here are some real-world examples of leadership responses to cybersecurity and insider threats that show a complete lack of understanding:
- Head in the sand: "We caught an insider, everything’s OK now."
- Underestimating the threat: "This isn’t a heavy lift, and we can address this threat with minimal effort."
- Shoot the messenger: "You’re responsible for this breach; it’s going on your performance review.!"
As a result, security professionals are not empowered to pull the cover off of the game, figure out the timing of the moles, and devise a realistic strategy for anticipating their moves in advance.
Let's Change the Rules of the Game
So, how do we stop playing Whac-A-Mole and make the game a winnable proposition?
1. Educate the leaders.
It’s inescapable — someone must spend a significant amount of time with senior leaders, teaching them about the threat to the organization. They need to understand the overt threat as well as the underlying message that the organization’s future financial wellbeing and reputation are at stake. Very simply, without advocacy from the front office success will only be limited to whacking one mole at a time.
2. Understand the moles are working together.
It’s very rare to find a threat, especially an insider, acting as a lone wolf (pardon me for mixing my animal metaphors). We are inundated today by organized criminals, nation states, non-nation states, gangs, and others who prey upon us for their own gain. Given enough time and motivation, they will figure out how to maneuver around all cybersecurity defenses. Even if you whack one or a few of them, you’ll be victimized by the ones that you missed. In my experience, there is almost always more than one mole in the game.
3. Accept your own blame.
If leadership is failing, part of the responsibility lies with the cybersecurity and insider threat practitioners. It is your job be the messenger and present the hard facts (even though you know what managers often do to messengers). Effectively communicating these facts is an art form by itself; if we fail, the organization may well fail too. It’s not an easy task by any stretch, but it’s critical to gaining the understanding and cooperation of leaders when presenting a breach or incident.
Be known for speaking the truth, even if it entails risk, and you will survive management wrath.
4. Recognize that tools are just a part of the answer.
Increased spending on technology (call it what you want—tools, solutions, capabilities) will not address cybersecurity and insider threats. Too many leaders are seduced into thinking "If we buy the right tool, install it correctly, and maintain it properly, we’ll be safe." Unfortunately, tools alone won’t prevent new moles from popping up out of new holes. They are static solutions to a very dynamic problem. Remember, humans are behind the threats that organizations are facing. Humans will always figure out a way around any tool.
Technology should support a strategy and not be the strategy. Don’t buy a tool designed to hit one mole at a time. Look at the threat as dynamic and create a process, program, and supporting budget. From there, select tools that will fit in with the vision and strategy of the program. Not only will it be easier to whack multiple moles at once, but budgeting will also become an easier task with a clear strategy guiding key purchases.
Play to Win, Not to Survive
Countering threats to our information is a challenge organizations simply can’t afford to lose. Think dynamically (multiple moles at a time) and strategically (where and when will the next moles appear) and be done with Whac-A-Mole.
And not a moment too soon — I really like Pacman a whole lot better.
Keith Lowry is Nuix's senior vice president for business threat intelligence and analysis. He served as chief of staff to the deputy undersecretary of Defense for human intelligence, counterintelligence and security at the Pentagon, and as an information security consultant in the private sector.
