When it comes to insider risk, not all employees are equal

As a young boy, Frank Figliuzzi had a sense of right and wrong, good and bad. He was so interested in criminal justice that at the age of 11, he wrote a letter to the head of the Federal Bureau of Investigation (FBI) asking for advice on a career in the field. He received a handwritten response and was so inspired that more than a decade later, he would pursue a life-long career in criminal justice and security.

Retired from the FBI, Figliuzzi previously served as Assistant Director for Counterintelligence and spent 25 years as a Special Agent. He held senior FBI leadership positions in major American cities and was appointed the FBI’s Chief Inspector by then Director Robert Mueller to oversee sensitive internal inquiries, shooting reviews and performance audits. Following his FBI career, Figliuzzi became a corporate security executive for a Fortune 10 company and led global Investigations, insider threat, workplace violence prevention, and special event security for 300,000 employees in 180 countries. He now works as a respected National Security Analyst, appearing weekly on live television for NBC and MSNBC news.

Figliuzzi recently published a book drawing on his distinguished career, titled THE FBI WAY: Inside the Bureau’s Code of Excellence. In the book, he discusses everything from training new recruits, to creating a code of excellence, to maintaining standards as a security leader. One of the major points of the book is what Figliuzzi calls “The Seven C’s”: Code, Conservancy, Clarity, Consequences, Compassion, Credibility and Consistency. These demonstrate how business and security leaders can create a code of conduct and solicit performance within the organization that matches their core values.

While an explicit code of conduct is important for any team or organization, a critical step in maintaining such a code is ensuring that the team you have set in place shares those same values and won’t work against them. This is easier said than done of course and becomes all the more complicated when the subject of insider threat – which Figliuzzi says is the biggest threat aside from foreign adversaries facing enterprise security leaders, their organizations, as well as the U.S. and nations around the world – is broached.

The insider threat is an unpleasant topic and one where business and security leaders must admit that some people pose a greater threat to an organization than others, depending on their rank, their role, and their access, Figliuzzi says.

“Detecting bad actors within ranks is complicated for a number of reasons,” he says. “First, it involves a very holistic approach. By that, I mean the answer is not entirely a security answer; it’s a human resource issue, an IT challenge, a labor and employment law challenge, a challenge within the engineering and research functions of a company, a sales function, a supply-chain problem. It requires all hands on deck.”

Frank Figliuzzi

SEC0421-Talk-Slide2-900px

Frank Figliuzzi
Photograph by Steven Meckler/Courtesy of Figliuzzi

Figliuzzi says that mitigating the risk requires security leaders to focus on the what, where and who.

What are you protecting?
Where is the element(s) you are protecting?
Who has access?

The what is the essential element(s) of the enterprise that would put the entire organization at risk if it were to be compromised. “It’s fascinating how few security professionals truly understand what merits the most protection within their organization in regards to an existential threat to the company,” he says.

Once you’ve established the what, leadership needs to determine where that all-important element resides within the organization. Is it in a specific folder on the cloud? Is it data that researchers, scientists and engineers around the world have access to? Is it a specific plant or office location that houses trade secrets or critical equipment?

Lastly, the question of who may be particularly uncomfortable for a corporate environment, Figliuzzi says, as leaders need to admit that some people may be more valuable within an organization, or alternatively, pose a greater threat than others.

“It’s a tough question in a multi-faceted, massive global corporation, but the organization must deeply understand what the crown jewels of the organization are and which people are more essential than others. Not letting it walk out the door must be the focus,” he says. “This can be politically incorrect for a company to indicate that some people are more essential, but it’s the people within an organization that hold the keys to the kingdom and those people have to be your partners in security.”

But when it comes to insider threats, identifying the who may be easier than the delicate dance that must ensue of keeping watch on those all-essential figures while simultaneously welcoming them into the folds of the security team. It’s imperative that an organization makes those critical employees a part of the team, a part of the security of the entire enterprise, while also being closely watched and monitored in the event something goes awry.

“Show them the intelligence that shows their job, their research or the data they have access to could be targeted by adversaries and competitors. Tell them how important they are. But at the same time, they need to be monitored because, if they go south, if they lose their laptop or have a drinking problem or depressor in their life, you have to be alongside them and you better be paying attention,” he says.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.