Earlier I used some statistics from the Verizon breach study to bash “angry insider” hype. After reading a blog exchange I think I need to clarify my position.
There was a great discussion going on at the Rational Survivability blog, thanks to a comment by security expert Amrit Williams about the statistics reported in the Verizon security breach report. Amrit (whose blog you can read here) commented truthfully that the report does indicate that more damage is done by insiders (per incident) than outsiders; so Hoff at Rational Survivability might have come to the wrong conclusion when he commented: “So much for insider risk trumps all.”
Earlier I used Hoff’s points from the report to call for the end of “angry insider” hype. While Amrit makes a fair and accurate point about interpreting the data and the study’s findings about the level of damage by insiders, I think a greater point is getting lost in the insider threat machine’s battle for mindshare. And I think that point cuts to the heart of the reason why the network security world is in such a state of chaos and suspicion today.
“Makes me wanna holler, throw up both my hands.”
– Marvin Gaye, Inner City Blues
I MAKE MY CASE
Enterprises have made employees more productive and systems and data more accessible. Unless you make IT security pros responsible for screening hires and running ethics seminars, etc. they certainly cannot be held responsible for angry or unethical insiders, any more than they can control where laptops or cell phones go every day.
The issue of protecting corporate assets from employees and contractors is obviously a bigger mission than IT security; it encompasses a range of players in the enterprise, including human resources, legal, training, operations and even executive leadership; it won’t be solved by software or hardware in the network or even the promise of universal insider threat management.
These amorphous statistical catchall rollups of insider threat damages confuse threats with accidents and ethical breaches, and other activities beyond the reach of IT security teams. They’re part of the greater security conversation merely because they’ll always happen and a category of vendors are suggesting that they have the ultimate answer.
They don’t. There are solutions that would help in subcategories of insider breach, but not in all of the elements that are being rolled up. The roll-up is therefore part of the hype.
The ultimate answer will come (if it ever does) from the leadership of a company, its policies and procedures for training and hiring and more emphasis on controls than convenience. All I can say about the employee-proof hardware and software dream has already been said: “Open the pod bay doors Hal.”
Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: www.archimedius.net . These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.