Here’s a six minute highlight reel of CISO Series Video Chat “Hacking Insider Risk: An hour of critical thinking on the unnecessary corporate risk introduced by non-malicious employee behavior”.

Our guests for this discussion were:

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Code42

Best Bad Ideas

Congrats to Kira Wojack, marketing consultant for winning this week’s Best Bad Idea

Other honorable mentions go to:

“Throw insider risk suspects into the ocean. If they drown, they were innocent. If they survive, they were innocent and it all worked out.” – Chase Pettet, lead product security architect, Mirantis

“Do extensive background checks on everyone except the executives.” – Ian Poynter, virtual CISO, Kalahari Security

“Modify Microsoft’s We Share Your Pain (WSYP) program to provide electrical shocks or pin jabs to punish users whenever they send protected data to 3rd parties” – Andrew Aken, zero trust lead technical architect, Twitter

“All insider risk suspicions are guilty until proven innocent.” – Chase Pettet, lead product security architect, Mirantis

Best quotes from the chatroom

“Companies want their employees to work all the time, but they also don’t want them to lose data, which leads to conflicts of company vs. personal equipment, and whether it’s OK to monitor personal equipment. ” – Ian Poynter, virtual CISO, Kalahari Security

“Now that so many people are WFH during the pandemic, a lot of companies assume there’s no such thing as personal equipment… or personal time.” – Kira Wojack, marketing consultant

“I could take either side of this long form debate. Training is invaluable and key to battling insider risk -OR- training is incomplete and never sufficient to fight those risks.” – John Prokap, leader, IT security & compliance, Success Academy Charter Schools

“Privacy aside, if you make people feel like they’re not trusted and their company views them as a risk, they’ll sometimes start looking for workarounds, even for security practices that are actually justified. Police states aren’t exactly a fun company culture.” – Kira Wojack, marketing consultant

“Board communication for non malicious threats is focusing on the impact of the ‘action’ and mitigation, and not the intent.” – Eli Migdal, CEO, Boardish

“Amazing how insider risk and external risk are starting to converge. First the perimeter disappeared, and now with contractors/gig economy and cloud and SaaS, the line between employee and external activity is getting harder to delineate. Makes it hard for tech to keep up.” – Bryan William Solari, regional sales manager, west, AppOmni