The pandemic was a force accelerator for digital transformation in the enterprise. It’s not just the dramatic remote work shift — it’s a profound shift toward prioritizing speed and flexibility as the drivers of a company’s competitive advantage. But as faster, more agile ways of working dramatically increase data security risks stemming from our own employees, it’s forcing a reckoning: How do you manage these growing risks without impeding speed and agility in your business?
The answer is a new category of data security technology: Insider Risk Management (IRM). IRM builds a framework around the new paradigm of “risk tolerance,” aiming to give security teams the visibility and context around data activity to protect that data, without putting rigid constraints on users. Attention around Insider Risk is growing. According to Gartner, “Security and risk management leaders have observed an increase in demand for assessing and managing Insider Risk, including surveillance of high-risk workers and anomaly monitoring of critical applications and data.”*
Insider Risk vs. Insider Threat
The conventional notion of insider threat conjures up thoughts of malicious employees intentionally stealing valuable data, or willfully negligent employees exposing sensitive data. The problem is, most of the employee actions that put data at risk today don’t fall into either of those categories. Rather, they’re the result of people just doing their everyday work — and unintentionally putting data at risk.
Here’s where there is a distinction between insider threat and insider risk: conventional notions of insider threat suggest threats are definitive and must be stopped or blocked. But ingenuity and innovative problem-solving isn’t the behavior we should discourage; in fact, this is what business leadership wants. You can’t afford to shut it down — and successful organizations are actively encouraging and fostering it. So, the new paradigm of Insider Risk management is all about understanding nuanced risk — not preventing it.
It’s Not Blocking
An important element of the paradigm shift in the data security world is that IRM does not believe in “blocking.” Conventional approaches to insider threat prevention typically rely on policy-based blocking tools to stop a defined set of threats. But with no easy, clear demarcation between what’s definitively threatening and what’s just everyday work, it’s clear that security teams need a new approach for mitigating data security risks. In place of blocking, Gartner defines a three-step approach: “Deter the individuals from wanting to do it in the first place; Detect the activity; Disrupt the effort.”* Organizations should:
- Deter — through effective authorized-use policies, employee training and building data security into company culture.
- Detect — with comprehensive visibility into data activity, including the growing activity happening remotely, off-network and in the cloud.
- Disrupt — through the ability to act on that comprehensive visibility in near-real-time, disrupting the “too risky” activity before it causes real damage.
But It’s Not Performance Management, Either
When we talk about monitoring all activity, what comes to mind may be performance management tools that aim to see all user activity and translate that visibility into objective employee performance metrics. But it’s important to understand that IRM solutions should be distinct from performance management. After all, security teams aren’t interested in judging productivity or performance — that’s HR’s realm. Moreover, the entire point of IRM is to empower users to work how they want to — to foster their ingenuity. Blurring the lines into performance management takes IRM down a path toward defining “right” ways of working — and ultimately limiting, not freeing, your employees.
IRM should be a distinct program that is both transparent and invisible to your employees. Transparent in the sense that your employees are fully aware of what and why you’re monitoring their activity — that you don’t really care what they’re doing, as long as it’s not putting data at risk. And invisible in the sense that it’s not slowing down users or otherwise impeding their productivity and ingenuity.
It’s All About Context
It’s a simple adage with broad relevance: In life, in business — and increasingly, in data security — it’s all about context. Context is the key to empowering employees to work in faster, more agile ways — while protecting the business and its most sensitive, valuable data. It’s clear that the conventional data security tools most companies rely on just won’t cut it in this new world of work — because they don’t see and understand the nuance of context. So, just as companies rapidly moved to support workforce speed and agility, protecting that speed and agility in 2021 and beyond will require empowering security teams with smart visibility into all their employees’ fast, agile activity — on and off the VPN, in the cloud and on the web. The new pace of digital work is here to stay. It’s time data security caught up.
*Gartner Market Guide for Insider Risk Management Solutions, Jonathan Care, Brent Predovich, Paul Furtado, 29th December 2020.