Dave Komendat, Vice President and Chief Security Officer, The Boeing Company, discussed the ins and outs of a successful insider threat program in his keynote presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Chicago on May 4. In his presentation, "Starting your Insider Threat Program: It's Not As Easy As You Might Think," Komendat described the challenges associated with insider threat programs and provided tips to help organizations overcome these problems.
According to Komendat, there are 10 steps to create a successful insider threat program:
1. Focus on your company's culture.
The success of an organization's insider threat program may depend on the organization's culture, Komendat indicated.
If an organization maintains an open approach to new ideas, it may be more likely than others to adopt successful insider threat technologies and practices.
"You need to understand what's the culture of your company," Komendat said. "How successful are you going to be allowed to be?"
2. Build your program from the top-down.
Senior executive buy-in may dictate the success or failure of an organization's insider threat program. With executive support, IT professionals can gain the funding they need to develop an effective insider threat strategy.
"We started out with top-down coverage. We got commitments for funding from [senior leaders] to help us put the insider threat program together," Komendat stated.
3. Develop a set of guiding principles and follow them.
Guiding principles should dictate how an organization intends to approach insider threat detection. These principles also can help an organization determine how it will measure the success of its insider threat program.
"We built [guiding principles] because we knew that we were going to be challenged at different times during the development of our insider threat program," Komendat noted. "We wanted to have a set of principles … that would allow us to go back and measure ourselves."
4. Determine who is in charge of your program.
Business leaders play key roles in the success or failure of an insider threat program.
"The goal is to change your culture so employees clearly understand that the information that you have is yours – not theirs – and they should be protecting it – not stealing it."
Ultimately, business leaders must teach employees how to identify and address insider threats. These leaders should possess in-depth knowledge of insider threats, keep track of evolving cyber threats and go above and beyond the call of duty to mitigate such problems.
5. Build the right team to support your program.
The right team should include a combination of employees across multiple departments. This team will be able to share knowledge and insights with one another and work together to reduce the risks associated with insider threats across an organization.
6. Find skilled personnel to drive program improvement.
Skilled personnel are essential for insider threat programs, regardless of an organization's size or stature.
The success of an insider threat program depends on the personnel who constantly search for ways to develop and enhance the program. As such, the ideal personnel will possess a strong understanding of cyber threats as well as the ability to teach others how to detect and resolve cyber threats consistently.
7. Follow regulations.
Cybersecurity regulations may vary depending on industry. Thus, organizations should analyze the data security protocols related to their respective industries and follow them closely.
"We wanted to have a set of principles … that would allow us to go back and measure ourselves."
Failure to comply with federal and/or corporate data security regulations could result in steep penalties and fines. On the other hand, an organization that maintains compliance with assorted regulations can avoid costly, time-intensive violations. This organization will have protocols in place to address workers who fail to comply with various regulations as well.
8. Perform regular program audits.
With auditing procedures in place, an organization can understand its insider threat program strengths and weaknesses. Then, this organization will be able to explore ways to transform program weaknesses into strengths.
9. Invest the necessary time and resources in your program.
There may be a substantial upfront cost associated with the development of an insider threat program. Over time, the return on investment (ROI) of this program will outweigh the initial cost.
Senior leadership often is responsible for providing financial support for insider threat programs. If IT professionals can collect data that highlights a program's success, these individuals can boost their chances of getting the financial support they need time and time again.
"You've got to sell the program. You've got to produce, and you've got to be able to communicate your findings," Komendat said.
10. Drive a culture change.
A successful insider threat program won't happen overnight. Conversely, an organization that remains focused on educating employees about insider threats can drive a cultural transformation, one that stretches across all levels of the organization.
"The goal isn't to have the best insider threat program or technology in the world. The goal is to change your culture so employees clearly understand that the information that you have is yours – not theirs – and they should be protecting it – not stealing it," Komendat indicated.
Dave Komendat is the vice president and Chief Security Officer (CSO) for The Boeing Company. In this role, he leads the Security & Fire Protection (S&FP) organization, which provides risk management services and standards to protect people, property and information across Boeing. He is responsible for Boeing's global security and fire protection policy and procedures, site security, supply chain security, structural and aircraft fire protection, government and proprietary information security, data protection, security background investigations, emergency and disaster preparedness, international security, crisis management, counterintelligence/counterterrorism, insider threat programs, threat management, security technical operations and executive protection.
Komendat represents Boeing in both national and international security policy engagement with government and industry advisory groups including the Department of Homeland Security’s (DHS) Critical Infrastructure Partnership Advisory Council; Overseas Security Advisory Council and the National Counterintelligence Working Group. He is past Chairman of the Department of Homeland Security’s Critical Manufacturing Leadership Council and currently represents Boeing as the private sector Co-Chairman on the Domestic Security Alliance Council (DSAC), a partnership comprised of the FBI, DHS and members of the private sector formed to enhance communication and promote the timely and effective exchange of information focused on keeping the nation's critical infrastructure safe, secure and resilient. Dave also holds board leadership roles within the International Security Management Association and the International Security Foundation.
Dave joined McDonnell Douglas as an Industrial Security Specialist in 1986 and has held a variety of positions at Boeing and McDonnell Douglas. In 2001, he became the director of security for the new Boeing World Headquarters in Chicago and was appointed Boeing’s CSO in 2008.