Words have power – in particular, your choice of words modifies how your readers or listeners react to what you write or say. Politicians do this sort of thing all the time, swapping one word or phrase for another to promote their own version of a narrative or boost their audience’s prejudices. Sometimes the ‘loaded word’ or phrase is obvious, other times it is more subtle.
And of course we do it in business as well, as I was reminded this week at InfoSec in London. It was while speaking with Chris Bush of ObserveIT, one of several companies at the show offering to help safeguard against ‘insider threats’. This was more of a niche term, used mainly among specialists. It describes all the things users might get wrong, including accidents, careless behaviour and so on.
However, it is increasingly being used openly now, and with a focus on the malicious subset of activity that lawyers and others know as ‘employee malfeasance’. Purely as a phrase, it is accurate – there are threats, and some come via insiders. But how does using the term ‘insider threats’ modify your assumptions about, and attitudes to, your colleagues?
You say one thing, what will others hear?
Words don’t come much more laden than ‘threat’. It’s a great one to use if you want to impress your CSO and other board members with the importance of data access controls, compliance and activity monitoring, cybersecurity training and so on. But what does it do to employee morale to know you’re a threat, rather than an asset? How does it affect the trust relationship that needs to exist in an organisation?
Of course, most of us welcome technology that brings reassurance and helps us avoid the errors that are the vast bulk of the traditional ‘insider threat’. None of us wants to be the one who inadvertently shared a secret directory, deleted a key database or emailed a confidential file to the wrong person. Safeguarding software will spend most of its time helping prevent things like this.
Chris added that within the ObserveIT toolkit there’s also features to reassure staff about their privacy. For instance, the usage and auditing data is anonymised by default, and it’s the metadata not the actual content. That’s a good start* but as we went on to discuss, what’s really needed is a more holistic approach.
Security is people, people are security
That’s because once we get onto ‘malicious insiders’ we’re verging into human resources and business psychology territory. As Chris noted, one of the major differences between insiders and outsiders is the variety of motivations at work. Whether it’s someone who was sacked, passed over for promotion, denied a pay rise or whatever, attacking your IT systems is just one way for a ‘wronged’ staffer to get revenge.
This matters because it means that mitigating the risk is at least as much a business management issue as it is an information security one. If someone’s in trouble, whether it’s stress, workplace bullying or other problems, the best fix will be to intervene and help them early. Similarly, if an insider incident does happen, HR needs to be involved in the investigation, in picking up the pieces, and in working to prevent it happening again.
So first, words matter – let’s stop talking about people as threats and start talking about their activity (this is classic psychology – criticise the behaviour, not the person). And second, if you’re in either IT security or HR, what are you doing to build bridges? Let me know please in the comments below.
*From the perspective of intelligence-gathering, threat detection and forensics, the metadata is actually far more useful and valuable than the content. However, from the perspective of most insider communications, it is likely to be a lot less intrusive.