Tips for Building an Insider Threat Response Dream Team

When insider threat incidents strike, who do you usually involve? How do you form a dream team to respond to an incident as seamlessly as possible?

According to the 2018 SIFMA Benchmarking Survey, 35% of organizations place their insider threat program primarily in the Information Security branch. The survey also reveals that many other functions participate, including Legal (81%), Compliance (73%), Privacy (70%), and Human Resources (81%).

Having these various roles work cohesively is a challenge. Too often, individual units will respond to suspicious behavior, and keep the results and information siloed. For example, Human Resources teams often deal with employee confrontations through further monitoring or other dispute resolution techniques.  However, the HR team may not know that the same employee at the root of the confrontation is also engaging in suspicious activity on (or outside of) corporate networks, which be a primary indicator of an insider threat.

So after an insider threat incident occurs, how do you bring together a cross-functional team to deal with the issue? Below, we’ll walk through what an ideal team might look like, and how you might assemble this dynamic group.

If you want to dig into this topic further, download our new guide, How to Respond to an Insider Threat Incident: A Simulation.

The Ideal Cross-Functional Response-Team

The best cross-functional response teams include a well-rounded group of stakeholders from all key areas of the organization. Your group should provide a diverse set of perspectives related to the incident. The stakeholders should cover all legal and compliance concerns, as well as communication strategy related to employees, customers, and potential outreach to the media.

Here's an overview of who security teams should gather in the event of an insider threat investigation, and each team member’s potential responsibilities:

1. CEO: The CEO is the final decision-maker throughout the threat response process. This role applies most for breaches with malicious intent that would result in an employee termination, or an incident that impacted customers and would require a customer, board, or press statement.
2. Human Resources: Human Resources owns internal communications and the recourse plan for the responsible employee.
3. Legal (General Counsel or Outside Counsel): Legal helps other stakeholders understand legal requirements following the breach, making decisions about whether to involve law enforcement or file a suit.
4. Compliance: Compliance identifies when and how to notify external partners and customers, following compliance requirements’ specifications (e.g. GDPR or HIPAA).
5. Risk: The Risk Lead evaluates risk based on information breached and exposure of current systems.
6. Communications: Communications owns the public response for media and external audiences.
7. Customer Service: The Customer Service Lead owns how customers are notified of the breach, sharing instructions for securing their data and alleviating any concerns.

Bringing Together the Team

Now that we know the team that should be in place, often, a cross-functional meeting takes place in the event of an insider threat incident to determine the course of action.

In this meeting, teams can discuss the incident, as well as the necessary next steps. To have these meetings run effectively in the event of an incident, it’s important to create a baseline of how these teams should come together in the first place.

• In most cases, have security run point.  
  Cybersecurity teams are often on the front lines of identifying an insider threat issue. They are leading investigation, containment, and remediation from a technical perspective, so they have the most critical facts for the group to drive decision-making.In many cases, a CISO or senior leader on the team can serve as “quarterback” in an incident. In cases where HR is notified of an employee-related issue, they can immediately loop in the CISO to see if there’s merit as a potential insider threat.

• Establish a strong system of governance.
  It’s important to have a coordination, communication, and documentation process in place before an active insider threat investigation takes place. According to Deloitte, governance frames the way you organize your response team. It ensures program coordination across functional areas, documentation of all policies, procedures, and incidents, and clear communication roles, responsibilities, and protocols. Governance aligns response strategy with goals and provides processes for cross-functional collaboration.

• Practice with a simulated incident.
  Once your processes are in place, you’ll have a strong idea of how each person should be responding in the event of an incident.Running an incident response simulation or tabletop exercise can help your cybersecurity team identify potential areas of improvement in your processes, or potential gaps where employees may require further training.

For more information on how to build your cross-functional team, assign responsibilities, and what this all looks like in a real incident response scenario, check out our latest guide — How to Respond to an Insider Threat Incident: A Simulation.