What is the Best Org Structure for Insider Risk Management?

Insider Risk

When we started using our Incydyr product internally, as more of a beta, we had the SecOps team managing it because they were already watching alerts on all our other security tools.  Then we built out our Inside Risk Management (IRM) team and our tool has continued to evolve.  So it only made sense that the IRM team own the tool that watches for data moving outside of our trusted network. 

While building our IRM team, we benchmarked with companies of all sizes on how and if they were also building IRM teams and if so, under which org. There was one clear commonality; there isn’t one right place for an IRM team to reside within a corporation.

A few years ago, it wasn’t a given that a company would have an IRM team. Now, more and more enterprises have found IRM to be a critical data security function and are now building out that defense. We learned through our benchmarking that this is a growing trend and that there are a variety of options on how teams deemed the best way to stand up their program. Most critically, it needs to fit within the pre-existing ecosystem of the business. IRM is not just a security function, HR and legal teams are also heavily invested in activity that could be deemed illegal or unethical. And while most data exfiltration is caused by human error, such as employees not understanding that the code they created, or the customer base they built, belongs to the company, and is not theirs to take, there are certainly instances where mischievous data theft occurs.

Through our benchmarking here’s where we learned IRM teams are being stood up: 

  • Detection and monitoring in the SOC
  • Forensics, Security Investigations
  • Cross-functionally with legal and HR as key stakeholders
  • Cyber Security Risk teams 
  • In collaboration with or within the Physical Security Team
  • In Cyberfusion Centers with a dotted line to the COO or Legal 

Clearly there is not one right answer, just the solution that fits your current business ecosystem. One CISO we spoke with had seen, several of the above options deployed and noted that all of them worked!  For those of us who have been in security for a number of years, we know nothing stays static for long. Even if IRM is set up on one team, it could certainly change in the not-so-distant future. 

So a head’s up to security tool vendors, in order to be successful, you’ll need to build solutions that; 

  • can be run without dependency on other tools,
  • and built with user-friendly dashboards so any team can manage them. 

When we first built Incydr, it was producing alerts that were best managed through a SIEM or SOAR tool, and so it was a nice fit on the Sec Ops team.  But luckily that has changed – our user friendly dashboard is self-contained and a stand-alone product or a SIEM/SOAR technology can be integrated via an open API. This provides flexibility for any team to watch for data that could be (read: likely is) slipping through your fingers right this very moment.

Flexibility and ease of use in all our security tools will allow security and IRM teams to perform at their best and in a way that builds collaboration with our stakeholders across the organization. 

I’ll take my hat off to that!