Career Insights with Upasana Gupta

The New Insider Threat

Signs to Look for Before Good People Go Bad
The New Insider Threat

Imagine: A colleague is frustrated, thinking that the organization is operating unethically, and vents his anger while having coffee with you.

As you walk back to your office, you suddenly wonder whether he might take the next step from mere words to potentially serious actions. You know he's a good guy, but you start to question his intent, and the ramifications on your own career if an insider incident were to occur on your watch.

Your mind shifts to Bradley Manning, the Army intelligence analyst who allegedly leaked 250,000 diplomatic cables to WikiLeaks, in the belief that he acted in the nation's good. Could your colleague be angry enough to leak your organization's sensitive data in a conviction he's doing good? How can you tell and what should you do?

This is new type of insider threat. Unlike the traditional insider, who knowingly commits crimes, this new type harbors the illusion that his or her actions will serve a greater good. And, yet the end result is no different: it's a data breach.

What do you do?

"Unfortunately, there is no single sign or a simple checklist to follow," says Shelley Kirkpatrick, behavioral and security expert at Management Concepts, a leadership training company. "Human behavior is complex, and there is no guarantee."

Still, Kirkpatrick suggests you look for three traits that are typical red flags:

  1. Intent: Employees on the edge usually need to communicate their purpose and look for a sounding board to let others know what they are seeking. Leaders should have their ears open when they hear employees talk or threaten to do something. They should always treat this talk seriously.
  2. Past behavior: Best predictors of the future are past activities and experience. If employees had a track record of engaging in something inappropriate in the past, chances are very high that they will repeat their activity in the future. In Manning's case, he was a hacker when he enlisted.
  3. Commitment to another cause: In cases such as Manning's, their action is often dedicated by their belief in ideals and values far different from their commitment toward their job. Such employees act in accordance to their values and have the desire to express their beliefs. Again, leaders need to pay attention to these details. Manning was seeking a change in the government, and he acted accordingly, risking his job.

Kirkpatrick also recommends adopting a comprehensive security policy based on team. Establish a culture where it is OK for employees to go to their supervisors and say, "Can you tell me what so and so is downloading during lunch hour behind closed doors?"

The policy needs to accommodate a proper reporting structure for employees to openly discuss these issues. Another key element is a supportive culture, which helps employees understand that by raising red flags, they are not harming their friend's career, necessarily, but instead helping the organization.

Equally important is training leaders in ethics and interpersonal communication, focused on areas such as rapport building, ability to hold discussions with team members and emotional intelligence, which enhances a leader's capacity to relate to employees and understand human behavior.

What is your experience in these matters? How should information security leaders be prepared to spot these grey areas and prevent breaches that cost their organizations - or even their careers?



About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.