Q & A
We’ve collected some common questions about our strategy and services and provided some brief descriptions below. We encourage you to visit our website, give us a call, or schedule a no obligation scoping session where we can drill down on your particular risk management concerns.
- What is the difference between insider threat and insider risk?
- Should the Insider Risk Program fall under the CISO or CSO?
- What is the difference between a Baseline Assessment and a Risk Assessment?
- What are the delivery options for insider threat training?
- My company has a CISO and CSO, why do I need to create an Insider Risk Program?
- What makes someone an insider threat expert?
An insider threat is an identified threat actor that is in position to harm your corporation. Risk is the degree of harm to a given asset and is represented by a combination of asset impact, vulnerability, and threat. Therefore, insider risk is the level of harm that an insider can cause to corporate assets, based on an examination of the insiders access, asset controls, and harm that would result if the asset were compromised.
An Insider Risk Program is by definition a cross-functional program requiring collaboration of multiple business units. While each corporate structure is unique, in our experience the CSO is in the best position to facilitate the required collaboration. The CSO can more efficiently integrate the program components with the assistance of the CISO and other functional leaders.
The purpose of the Baseline Assessment is to understand the current insider risk management operating capabilities. The focus is on the ten functional components of the ecosystem. By contrast, the purpose of the Risk Assessment is to understand the risk levels of specific asset groups (i.e. how likely they are to be compromised). The focus is on identified assets and an insider’s ability to take advantage of asset vulnerabilities to effect a compromise.
We offer three delivery options and each can be tailored for your unique corporate needs and requirements. The first option is delivered via ITMG’s web-based learning management platform. The second option is to tailor the training for your corporate LMS. The third option is to deliver the training live and in person. We hold regular training sessions throughout the country and also can deliver at your corporate offices.
An Insider Risk Program requires formal integration and collaboration of multiple functions, including the CISO and CSO, but also HR, Legal, Privacy, Risk, and business units. A formal program will require the necessary collaboration and remove stovepipes that inhibit effective insider risk management.
Expertise is a process and something that is earned through experience, not learned in a classroom. At ITMG, our domain experts have a minimum of 15 years’ of real-world insider risk management experience, and many have more than two decades. Insider threat expertise also requires experience across multiple domains – network security, personnel security, employee management, investigations, and legal.