Avoiding Distractions
So you’ve built a baseline set of policies and procedures supporting your Insider Threat Program and hopefully by this point, you realize this will be an ongoing process. For a significant period of time, these will be living documents with a number of changes as your company rides through the chaos of change to begin smoothing out a day-to-day Operations Tempo (OP TEMPO). You will need revisit those policies and procedures at least annually, to ensure they are current and in compliance with your company’s direction and vision. It’s easy however, to become distracted with the pace of growth through success, resulting in one of the most common weaknesses in any organizations’ compliance to their industry standards. It’s all too often that when asked for their “Policies and Procedures Binder”, the Office Operations Manager searches the lowest level of a bookshelf only to pull out the dusty, P&P Binder that hasn’t been updated since either the company operations were formalized, or during the audit process while seeking compliance.
Why Do I Need a COOP or BCP?
There are a lot of things and events that can derail a company’s forward momentum. A Continuity of Operations Plan (COOP), otherwise referred to as a Business Continuity Plan (BCP) in most private sector industries, can help you maintain your focus and protect your critical assets in times of crisis. Your focus is on sustaining your operations and business focus despite distractions, critical anomalies and unintended events that might otherwise set you back. Your COPP /BCP serves as your play book with delineation of how you should respond to certain situations, who are on those incident response teams, what time of training they’ll need, validation that they’ve received it, and records of table top exercises those teams have executed in walking through training scenarios for potential incidents.
Building a Team to Exercise & Execute the COOP
Building, Training and Executing Table Top Exercises with Incident Response Teams can take on an entire life of its own within a company. Depending on its size and industry engagements, it’s important to balance the level of need and to walk through a methodical decision making process with your leadership team and/or board of directors to determine the level of effort and manpower you are able to carve out. You need to ensure your Intellectual Property (IP) is protected. The bottom line is to ensure you have a firm understanding of the level of impact to your organizations level of success if “X” were to be compromised, lost, stolen, etc. Whereas “X” represents your “Crown Jewels”.
Building a COOP Team is truly a Team Effort and is not a task for one person in your company to execute. There needs to be a C-Suite emphasis on the effort, involving everyone in the company, with team leaders representing every facet of the organization. There are a lot of information out there to use as reference. The challenge therein lies in which fits your specific company.
Insider Threat Program Building Stones
The COOP and Policies and Procedures become the Building Stones for your Insider Threat Program. If you don’t know what to protect, you don’t know how to protect it. If you don’t know the risk or the threats, you don’t know from what you are supposed to protect your “Crown Jewels.”
From the baseline, we need to begin considering additional resources that will assist us in better understanding our operational norms. There are a lot of human nature interactions which can be applied, counseling, management training, and most importantly, hardware and software solutions that can provide tremendous assistance to the entire process where we, as human have a limited amount of capacity and can only focus in a very narrow landscape, in most cases. Next, we need to begin looking at those solutions that will deliver an unexpected amount of value to organization who might not have considered them otherwise. …not to mention, depending on your corporate engagements, you might fall under the directives requiring you to stand up an Insider Threats Program within your organization.