Proposed Insider Threat Program
Written by Thomas Langer
Defense Counterintelligence and Security Agency (DCSA) in ISL 2016-02 dated May 21, 2016 and revised June 29, 2017, required cleared contractors to implement an Insider Threat Program (ITP) at their cleared sites, and presented a number of clarifications and changes in ISL around training, classified information systems, etc. As 2019 draws to a close, these now three-year-old programs across our industry are due for an assessment and a refresh from each of us. This short note is intended to share some thoughts, challenge some assumptions, and help the reader view the program in the light of ‘deliver uncompromised’.
Hopefully most companies saw the benefit of having the ITP cover all of their sites, regardless of clearance status. Certainly, they would be pared down in uncleared sites because the reporting to DCSA does not apply to uncleared employees, but the fact remains that the insider threat resides at all of our sites. If you look at the many cases reporting in the press over the years, the damage to many commercial entities came from trusted insiders who took egregious risks or were bent on settling a real or perceived score with a leader or colleague. So, while we all need to be looking to expose and contain another Snowden, other threats such as intellectual property theft, data exfiltration, workplace violence and unauthorized risk loom large.
With the requirement to appoint an Insider Threat Program Senior Official (ITPSO), have you considered someone outside of security? As the FSO or Chief Security Officer (CSO) of the company, who really needs another title? What you need more is support and leadership commitment to the ITP. Consider naming someone like the Chief Counsel or the senior leader at the site. They bring credibility and attention to the program for sure, but more importantly they bring a broader business perspective.
Not unlike someone outside of security as the ITPSO, have you considered forming an insider threat committee in your organization? A committee is a great way to increase the visibility and reach of the ITP in your organization, and it brings together an influential mix of people. Suggested members would be Legal, IT (delivery and security), Ethics, HR, Export Control, Communications and Internal Audit. Structure the meetings for an hour each month and hold to that schedule and an agenda to be respectful of people’s time. You’ll be surprised with the amount of support the ITP gets from a committee like this, and how it drives a stronger and more meaningful security culture within your organization.
As you develop insider threat cases in your organization track them to closure. You should have one centralized database where you can log cases developed under the ITP and note the outcome. Tracking, analyzing, and documenting these cases allows for the ITPSO, and you, to insure you have a consistent way of dealing with insiders and that discipline or corrective action is equal throughout the organization. Additionally, if you have to take action against a former employer or teammate for intellectual property theft, you’ll need to prove you had a system for marking, controlling and investigating incidents with intellectual property.
As for training, don’t be shy about using current cases from the news on damaging insiders that have nothing to do with the defense and intelligence cases. You want your workforce, and leadership, to think beyond the spy cases and look at the insider threat as potentially coming from anywhere in the organization. This broader thought process around organizational risk helps strengthen your overall compliance program.
In summary, whether you adopt some or none of these suggestions, look to refresh and reinvigorate your ITP in 2020. Former Director Payne and his team at DCSA worked long and hard during his leadership tenure to make security the fourth pillar of Acquisition’s three pillars of cost, schedule, and performance. He exceeded his expectations when the leadership of the Defense Department declared that security was foundational to participating in acquisition versus a pillar of acquisition. Therefore, everything we do when it comes to security has to be foundational to our organization. Expanding our programs to include our colleagues in other functions is precisely that type of foundational work.
About the Author
Mr. Thomas Langer has a 30-year track record as an industry security executive, including 20 years with BAE Systems, and will be periodically sharing his knowledge on crucial, relevant topics here on this Blog page. Learn more about Thomas here.