Gaining Stakeholder and Employee Support for Your Insider Risk Program
How to build trust with your employees and stakeholders through training, empathy, and effective communication
What’s in a name?
We have all heard, been involved in, or led conversations regarding what to name our insider threat program. The industry standard has always been “Insider Threat,” yet many in the corporate setting find this term too harsh. The typical conversation goes like this, “Is using the word threat too accusatory? Should we use risk instead? Should we use the word trust in our name? Are we being too soft if we don’t call it a threat?” In short, we are searching for that magic program name that avoids making employees feel targeted or untrusted. In the end, every company is different, and you must decide what name your culture will accept. My experience has been to settle on the word “risk” because it projects the message that a risk exists, and we must mitigate that risk. Mitigating the risk is, after all, the entire point of the program. However, I would advocate that the best avenue for you to win the acceptance and cooperation of stakeholders and employees is less about the name of your program and more about how you present it, especially in your primary venue of presenting to employees — your employee awareness campaign.
I am sharing with you what has worked for me. Every company is different, and I am certain many of you have succeeded in different ways. This is intended to be used with full consideration of the culture in which you operate. That said, how do we best use employee awareness training to gain the trust and support of our employees?
Maximize your best asset — employees
I think we all agree awareness training is a critical part of every insider risk program. It is an opportunity to educate employees regarding the risk, modify risky behaviors, increase reporting, and “brand” our program. Ultimately, awareness training is an avenue to make insider risk part of our company culture. By way of example, privacy programs strive to achieve “Privacy by Design” — meaning employees take privacy into consideration in all things they do. I would advocate that the goal of our insider risk program is no different. Success = “Insider Risk by Design.” To attain a culture of Insider Risk by Design you must gain the support of your employee population and stakeholders (who are, of course, also employees). It has been my experience that our employee awareness campaign is the most effective avenue to attain this.
As we all know, employee awareness is a huge topic deserving of much more time than a single post — it is a continually evolving component of any insider risk program and requires constant evaluation, nurturing and growth. For the sake of time and space, this post will focus on a common employee awareness pitfall that can hinder or even cripple an insider risk program.
The fine line
The fine line between causing your employees to feel targeted or untrusted vs. understanding they are a critical part of the insider risk program, cannot be understated. Feelings of being targeted or untrusted will hinder employee reporting, if not eliminate it altogether. This could eventually be the undoing of everything you have worked to achieve. In contrast, making employees understand they are a critical part of your program will organically lead to increased reporting and yield the greatest support for the program. Clearly, we all desire the second result.
So how can you avoid the pitfall of your valued employees feeling targeted? What has worked well for me is to leverage human behavior experience, both my own and that of my team members. If you were in intelligence, law enforcement, education, social services, or other related fields, you have likely developed exceptional people skills. Maybe you have cultivated human sources, interviewed victims, witnesses, patients, suspects, or maybe you have led a troubled teen through a crisis? Maybe, you were a teacher specializing in educating troubled students? I am a big believer in diversity of experience to reach full team potential — these experiences tend to build strong communication and team building skills which can be leveraged in your employee awareness campaign.
What has always worked for me is using empathy. I put myself in someone else’s shoes and find common ground to reach a desired goal. It does not matter if you are conducting a suspect interview, negotiating a vehicle purchase, or educating your employee base how to help you mitigate insider risk — leveraging empathy helps you achieve consensus. Consensus in employee awareness translates to acceptance of the mission, acceptance of the existence of the risk, and willingness to act as a team to mitigate the risk. So, how is this applied to employee awareness training?
Leverage your empathy
I suggest taking this simple step: Before presenting or implementing a training segment ask yourself, “How would this presentation make me feel?” Don’t just rely on your own opinion — seek out teammates, stakeholders, and peers. Ask them, “Would this training make you feel like a trusted part of our program, or would it make you feel untrusted and targeted…and why?” Many stakeholders, especially your HR partners, will have great insight into historical and cultural issues that may impact how employees will receive your message. If you have contacts in specific business units, ask their opinion — let them weigh in on things like length of training, presentation style, or sensitive issues you may not have considered.
Do your homework and use the information you collect to shape your training. Imagine the benefit when peers in HR and the business units speak up and say, “Oh yes, good training, we helped produce it, I highly recommend taking it.” As opposed to, “I have no idea what that is, I suspect just another security training to waste our time.” I have experienced the positive effect of respected employees, business leaders, and HR professionals promoting the value of the services the insider risk team provides. Trust me, it will immediately boost your program’s success.
Tell employees why they are important
When creating your employee awareness training, drive home the point that you depend upon and value each of them as part of your team and that their personal effort is needed to help you protect their hard work. This is where empathy comes in, using statements like:
- “We see the value of your hard work and as fellow employees understand your work is critical to the organization, and that OUR employment depends on that hard work.”
- “The goal of our program is to ensure the safe keeping of your work and to keep it out of the hands of those who would use it to undermine our success.”
- “For us to be effective, we need your expertise — nobody knows your work like you do and nobody knows the daily operation of the business like you do.”
- “We can educate you regarding the risk to our people, property and information, but without your insight and the benefit of what you see and do each day, our ability to be successful is limited.”
- “We are counting on you to help us understand what to protect, what areas of risk to focus on, to educate us regarding events and actions that put your work or employees at risk,”
- “We know our company goes to great lengths to hire good people, but even good people make bad decisions when under stress. Our goal is to prevent those employees who find themselves in that situation from damaging their career or our organization. If we work together, we can ensure our peers make good choices.”
I think you get the point. While the delivery method and wording may change from company to company and industry to industry, the idea remains — use empathy and your team building skills to earn your employee’s cooperation, to gain their trust and assistance to mitigate risk. It is imperative rather than feeling targeted, they come away from your training feeling like part of the insider risk mission. If you succeed, you will see increased reporting, referrals, and service offering requests. The employees you train will be a force multiplier that feel empowered to correct unsafe behavior, educate peers, and report suspicious activity. This results in a reduction of unintentional insider activity which will allow you to focus your valuable resources on more serious matters. Contrast this with presenting training that comes off like a compliance program. For example, phrases like “you must not,” “it is against policy to,” or “if you do this, your employment can be terminated.” Nobody leaves this type of training feeling like part of the team. Poorly planned or poorly delivered training often results in complaints to the very stakeholders and business leaders whose support you are seeking.
Think about it like this: Your Insider Risk Program is effectively a business of its own, you are selling a service. If your customers (in this case stakeholders and employees), believe in and support your service, they will buy it. If your customers don’t believe in your service (or worse yet think it runs counter to their interest) they won’t buy it and your business will fail.
Finally, it is imperative you seek out feedback on all aspects of your program — specifically your employee awareness training. Continual evaluation, modernization, and change is a must. Fit your training to the business unit. Sales teams for example are typically under pressure to make their numbers. The last thing they want is a long training session during which they are not selling. I have found that multiple 3–5-minute training clips are more effective than a single annual 30-minute training session. If you are a global company, be sure your training is global in nature, available in multiple languages and considerate of every culture and region. Take your time, plan, get it right, and you will see the benefit.
If you made it this far, thank you for reading to the end. I hope this was of value and wish you luck on your journey to achieve “Insider Risk by Design.”
About Tim Kirkham
Tim Kirkham leads Dell’s global security investigation strategy pursuing over 6,000 investigations annually in the areas of fraud, insider risk, workplace violence, harassment, theft, privacy, economic espionage, and data protection. Tim also developed and is responsible for Dell’s industry-leading Insider Risk Management program designed to protect Dell’s people, property, and competitive advantage including trade secrets, intellectual property, and confidential information.
