Insider Risk and the Art of Half-Arsed Risk Discussions

As Insider Risk professionals, we love our “red flags”.  Not necessarily the activity behind them, rather the potential that, with each tested and true risk indicator, we’re one small step closer to a more complete, proactive capability.  And yet, when we present findings to leadership and stakeholders, whether immediate concerns, longer-term risks, or recommended courses of action; the rest of the room doesn’t always seem particularly thrilled.                                                           

We understand there are many potential reasons for this.  In our eyes, we’re shedding light on a serious risk; however, the C-Suite or other stakeholders may view such findings/solutions themselves as a greater risk. 

• What is the potential negative impact on the mission?

• What are the financial and reputational costs to the business?

• How significantly will this change how we operate?

• What are the consequences (and who will face them) for acknowledging a risk long unaddressed?

So how do we keep the train moving forward?  Here are but a handful of tell-tale signs risk discussions may be getting sidetracked or even derailed.

“What Risk?” (Risk Denial)
This is always a concern, especially when starting a new Insider Risk program.  But we know how the story goes:  leadership doesn’t believe in the need and months later faces a serious issue, which could’ve been mitigated had an effective Program been in place.  Hopefully this mentality is waning, as every day there is yet another example of the obvious and non-obvious risks facing organizations.  But risk denial isn’t only for leadership!  It is evident in the vacant stares of even seasoned security professionals who are finally seeing a real insider case after spending years looking at the wrong things.

Deus Ex Machina
For millennia we’ve drooled over the sudden and miraculous resolution of seemingly intractable problems.  Unfortunately, this occurs more in literature than it ever has in real life.  Insider Risk is a problem that revolves around people/personalities, organizational processes, in-depth collaboration and a willingness to evolve.  While the right third-party technologies will absolutely help, we cannot buy our way to a solution, so don’t let conversations necessarily end with “if only we purchased…”.  It is part of the conversation, but not the conversation.

 
“Stay in your lane.” (verbal or non-verbal)
Often our findings highlight another part of the organization in need of course correction.  Risk recommendations might mean Procurement needs to update a policy, or IT needs to better log a particular system’s activity, or HR’s poor data standards make its data difficult to leverage.   Sometimes the findings are welcomed, other times it’s a thorn to peers.    

So when we get the side-eye from other stakeholders, keep in mind that mature investigative teams are not only best positioned to drive cross-organizational adjustments, but it’s our responsibility.  No other job discipline is as immersed in the collective data, activity, processes, workflows, and policies of an organization.  Our comprehensive vantage point, coupled with keen-eyed analysts/investigators, is a perfect opportunity to improve overarching organization risk posture.

“Let’s form a committee on this”
There’s a saying that if no one person wants to claim responsibility for a decision then form a committee.  Not to say there aren’t times when it’s necessary to establish one, but without proper care, it can be the equivalent of kicking the can down the road.  Clear mission, objectives, agendas, unambiguous decision-making authority and an engaged executive champion are critical.  Absent this, it’s simply a thought exercise where no one owns the responsibility of solution.  When setting one up, make sure it’s geared for success.

“We accept this risk.” (Risk Tolerance)
Sometimes risk must be accepted…but make sure during risk discussions it’s clearly identified who is charged with accepting said risk!  Sometimes the loudest opposition is by those who would have to change the most, not the actual risk holder.  Part of our responsibility is keeping feet to the fire until an informed risk decision is made.  Sometimes that even means reminding everyone that, just like when leading people, when it comes to an organization’s security practices, “It’s not what you preach, it’s what you tolerate.”  

Make it count.
Insider Risk professionals are positioned to make a difference in the short- and long-term safety and success of organizations. That’s a welcome responsibility and privilege. But with that comes the realization that each risk discussion we lead generates decisions and precedents against which each future risk event is compared.