Information Security Starts with the Employees

Organizations continue to spend exorbitant budgets to combat the issue of insider threat with one source estimating it at $270B/year by 2026 (Forbes, 2020). By comparison, the cost to put a man on the moon, possibly the greatest accomplishment in the history of mankind, was $283B (adjusted for inflation) and that was spread across thirteen years from 1960 to 1973. The cybersecurity industry’s approach to insiders has reached a tipping point where the methodology and framework have become unscalable, inefficient, and ineffective. The only strategy appears to be doubling down on buying more technical solutions. Organizations appear to be failing across three main areas: 1) developing a long-term strategic risk-centric approach that fits with the globally changing political, sociological, and behavioral environments, 2) an over-reliance on technical tools and related training materials to more accurately and expeditiously identify an evolving threat, and 3) a overemphasis on employing technical rather than insider threat subject matter experts (SME). The results of this research seek to provide organizations with critical data points and examples that can be used to propose solutions so they can better address the actual root-cause of insider threats and not the symptoms and evolve their Insider Threat Programs (InTP).