When Turning Every Stone, Don’t Look— See
Whether we’re joining an established Insider Risk program or developing one from the ground up, one of the foundational efforts is taking an honest inventory of the environment. This can mean quite a lot— the broad and the narrow, the strategic and the operational, the complex and the simple. Understanding an organization’s structure can be as important as knowing physical and virtual locations of workforce segments, facilities, assets, data. Similarly, identifying little known business processes can be as vital as highlighting key business operations. Sure, we’ve got a bead on the standard operating procedures, but how about the not-so-standard operating procedures?
But there is a fundamental difference between identifying and denoting matters of fact, and using those findings to proactively envision risk. The former is meant to inform the latter. Yes, we need to button up the glaringly obvious risks and gather those initial “wins”. But a second tranche of effort characterized by open, curious and creative work is what sets apart Insider Risk programs.
Most are familiar with the Johari Window from psychology, which provides a visual of our awareness of ourselves and others. But it also acts as a useful lens through which to view the insider risks we face, could face, or may unknowingly face.
Here is how it translates into the Insider Risk world and some loose anecdotal examples:
OPEN: Known to both insider and Insider Risk program.
—> EX: Long-time organizational policy allowing removable media despite well-known risk.
BLIND: Known to insider but not Insider Risk program.
—> EX: Tool originally created to facilitate cooperative efforts between organization and outside parties, allowing data transfer. Very small internal user base. All but forgotten over the course of years of fast-paced IT implementations of new products and services. May be categorized as “shadow IT”. May not even be logged.
HIDDEN: Known to Insider Risk program but not insider.
—> EX: Various disparate human resource systems exist across organization, potentially allowing individuals previously terminated as threats to the workforce, to be re-hired in another part of the organization.
UNKNOWN: Known by neither.
—> Immediately after an item is identified in this category, it transfers into “Blind” or “Hidden”, depending on who identifies it. This is where unforeseen avenues of risk are either envisioned by an Insider Risk program and mitigated (“Hidden”)…or exploited by an insider (“Blind”).
It’s with an open mind and curious eye that we uncover some of the most concerning risks.
