Balancing Privacy and Protection: Building an Effective Insider Risk Program

0:00

Fred:
Hello, welcome to Ontic’s Connected Intelligence Podcast. I’m Fred Burton, Ontic’s Executive Director of Protective Intelligence. This podcast offers valuable insights and practical advice to help you navigate the complexities of modern corporate security shared by leaders and innovators in the field. Now, on to the discussion. Hi, I’m Fred Burton here today with Mike Smith. Mike is the Chief Security Officer at Arcfield. Mike has over 20 years of experience in corporate security, risk management and executive protection. He has worked with Fortune 500 companies and high profile individuals to develop and implement comprehensive security programs. Mike is passionate about safeguarding people and assets through innovative strategies and technology driven solutions. Mike, welcome to the Ontic Connected Intelligence Podcast. Thanks, Fred.

Mike Smith:
I tell you, it’s a true pleasure to be here and just engage in some dialogue with you on some of these areas that you and I hold near and dear.

Fred:
Well, it’s our honor. Can you tell us a little bit about your background and what led you to be the chief security officer at Arcfield?

Mike Smith:
Sure, Fred. Like so many in my position across industry and the government. I started out a long time ago, 35 years ago, just began in law enforcement and security and then evolved into national security support and been focusing on that for a little better than 35 years now. I started out as a police officer in local law enforcement when I got out of college and I had some opportunities to flourish in that first opportunity and that led me into my next stage and chapter, which helped me focus on the national security side of what we do now. Specifically, I joined the Secret Service 26 years ago. I had an opportunity, an off-the-cuff opportunity, that brought me into a new way of life and a new perspective on kind of where my focus was going as a professional and what I could do to give back and what I Through the Secret Service, I had a great opportunity just to work with a collective group of men and women that are truly the most talented I ever had the pleasure of working with. Not only within the agency, but with the collaboration with what that agency shares across the world. So I’m sure you and I may have had some theater time once upon an area overseas, knowing your background as well. So that led me through, most of it started in executive protection with that agency. I did a couple stints in presidential assignments. I had the great pleasure and honor of serving on two different presidential protective details, working that inner security for two different administrations. Did that for a number of years. After about 14, 15 years into it, It took me into our headquarters, where I had an opportunity to get in our security management division and lead some significant discipline programs there. And that really kind of accelerated my understanding and my focus. and security management. Obviously, as a special agent, as an official for the government, I handled and managed classified national security information on a regular basis. But understanding the depth that it takes to make those disciplines that support classified national security work, it’s just a phenomenal opportunity. So I spent a few years learning the ins and outs of that process from administrative security, physical security, personnel security, compliance management, and of course industrial security, which was a great segue into my last career. A few years shots there and then it took me back into executive protection and then some promotions brought me up through the senior leadership of the agency and through the SES statuses at allowed me to retire as the special agent in charge over the agency’s Office of Protective Operations. So that was just a great opportunity, but also a welcome checkmark in my final position in the agency. In that role, I had oversight in support of our 33 permanent protective details, the physical security requirements, supporting them from an operational standpoint, staffing, equipment, The White House complex, the National Observatory, a number of private residences and national special security events. It was just a great culmination of seeing security facets from every point and genre. That allowed me to retire. So in retirement, like many leaving government, I still wasn’t done yet. I wanted to find an opportunity in the industry. where I can continue to get back and expand and support the mission in ways that I could, hence the opening door to Parkfield.

Fred:
Yeah, that’s an amazing career, Mike, and I’m sure our paths have crossed. I go back from my time in D.C. to 1981, so getting in the business there. Out of curiosity, which presidents were you on the protective detail for?

Mike Smith:
I came on during the Clinton-Gore era and served from a remote standpoint on one of the field offices for about five years. And then I transitioned to President Bush’s detail 43, George Bush. And I spent several years with him and his family and then transitioned into President Obama. I had a great opportunity to support President Obama and his family as well for several years and then jaunted out. into the security management of headquarters and dip back in where I helped oversee the then Vice President Joe Biden. Spent three years with him and the second lady in their first their immediate family members and then that transitioned into vice president Mike Pence for an opportunity to lead, help support leading his detail for several years and then went back into a headquarters and management position again.

6:28

Fred:
That’s awesome. Let’s talk about Arcfield. What prompted you to develop an insider risk program and how has that threat landscape evolved in recent years?

Mike Smith:
But I tell you that the timing was real fortunate for me stepping into industry. It was a great learning education as so many of us had transitioned from a government landscape into an industry landscape. And at the time that I stepped in, Arcfield was brand new. It was a divestiture of a larger parent company. And there was no back office. So they were building a team from scratch. The divestiture in our field spun up with a number of programs that have been supporting the US government for 60 years. So it’s a rich history of supporting our national security and defense efforts for decades. The anomaly in my scenario is at the time that I was onboarding, we had no C-suite, we had no leadership, we had no HR, no security program. We had just some phenomenally talented folks that supported some very critical missions for our government. And so we hit the ground running. The CEO started to build his team immediately for Arcfield. And then from there, we had the pleasure of being able to lean on the parent company that divested us on an exiting process. And they helped hold the wall for a short period to give us some time to build everything we needed. And so when we talk about insider threat, Arcfield’s primary missions, we support the space defense missions, the hypersonics, cybersecurity, warfighter readiness, and of course, space exploration. So we, as a parent company, we’re 100% national security supportive. We hit those critical missions and provide very unique capabilities to our customers in the government. So as you and so many of our colleagues across the security realm know that the NISPOM, the National Industrial Security program operating manual, so when we refer to NISPOM, that’s got the requirement with any classified contractual support to make sure that not only do you stand up, but that you maintain a robust insider threat program. And we follow the guidance of the NIFT, of course, the National Insider Threat Task Force that starts to set those building blocks and parameters that we need to be building. And I’ll tell you, there’s no better opportunity for a chief security officer to come into an environment when you have the ability to landscape and just shape it essentially itself. So the key is, as in any business or any program area, is finding the right key players, the leaders that can help support you or that you can otherwise help support. through that journey of building a company. So finding the right security directors, the ones with years of experience, subject matter expertise, I’m proud to say I had the opportunity just to build a phenomenal team. And with that, we huddled with our partners across other functional areas and slowly but surely built just a mature security program that not only matched but exceeded from what our company and the programs experienced in legacy companies before.

Fred:
Yeah, that’s amazing. And, you know, it’s rare in this space to be able to start something from the ground up and to put your thumbprint on it. You know, I get a lot of opportunities here at the company to talk to many, many different chief security officers and protective intelligence analysts and so forth. So that’s awesome.

Mike Smith:
Well, I tell you, it doesn’t come, it’s not as softly and graceful as I made it sound. We are there in a lot of sleepless nights because the mission’s got to go on and we got to be able to support it. As we know, it’s a 24-7 mission, but we are fortunate, so thank you, Fred, for that.

10:33

Fred:
Yeah, and certainly we’re living in a very dynamic threat landscape, no short of world problems, Mike, as you and I well know. Mike, In looking at an insider threat program, we’ll have a lot of folks that are looking to start these programs. Some maybe may not have robust programs. Others are wanting to get there. One of the issues that always surfaces in discussions, whether it be employee meetings or whatever, is how do you balance employee privacy with the need to monitor for potential insider risks?

Mike Smith:
As you begin to build these programs, we know security can’t go it alone. So having those cross-functional relationships are just key in any security program. So having that ability to lean across the table with your partners in a business. And one of those, when we start talking about leveraging privacy information and data and PII, in an insider rep program, how do we, especially as administrative accessors of that insecurity, right? So we get the behind the scenes look on a number of areas that help support, and you just gotta know when to pull those strings. So having that relationship in insider risk, and I would say specifically with my counterparts in our legal division, it’s a fine balance. When we start having indicators, or if we start seeing trends, or if we’re focusing on a specific individual or threat toward a vulnerability mitigation. Of course, we manage that through security, but we don’t go it alone. Our insider risk program is built on collaboration, and I would tell you one of the other fortunate positions that I have as the CSO of Arcfield is I also have the great honor of serving as an executive vice president for the company. So having that seat at the C-suite table and having the buy-in of the CEO and the other C-suite folks, we make sure that we’re looking at and we’re handling it for the business decisions and safeguarding that protective information as we start to develop our insider risk cases or investigations or even awareness or analysis.

Fred:
Yeah, that’s tremendous, especially with the ability to have the seat at the table, which, as we know in this business, can be challenging for some.

13:40

Fred: Mike, what role does technology play in detecting insider threats? I’m old enough to remember the days when we kept data on three-by-five index cards and you had to pull actual photographs and photocopy bolos and run around and pass them around to protective details, which I’m sure you don’t remember.

Mike Smith:
Not at all. I was waiting for somebody to hand me some sheet of paper. My NexTel wasn’t bringing that across the wires. It would sure have gotten me. Great walk through memory lane there. But I would tell you from a technology standpoint at Arcfield, just like most, we manage both from an internally and external perspective. Internally, part of the concept that we use, and I know a number of my colleagues, and I know you’ve evaluated and have the ability to see into a number of companies yourself in your professional journey. I’m also very fortunate to have cybersecurity aligned under me as the chief security officer.

Fred:
That’s awesome.

Mike Smith:
Yeah, and I tell you the checks and balance really benefits the business. certainly enhances my ability to have a technological lever in security and insider threat. So it holds not only our CIOs team in checks and balance, but it also allows the CIO to hold a cybersecurity team in checks and balance. So I tell you it’s a relationship that really is something that is vital to the success of our program. The CIO and the CISA work daily They are partners in our journey. They’re partners to make sure the business is protected, but also the customer and the national security efforts that we support are protected. And we have some subsidiaries under our field as well, organizations that have unique requirements that have some commercial elements. So being able to support all of that to ensure that the enterprise itself, when you have different entities under one parent org, it’s not susceptible to threats or vulnerabilities. It starts having that cybersecurity under the CSOs, purview and really an advisership, I should say. Sometimes I wonder if CISO is under my purview or if I’m under hers, but it’s important because she really is a key element in our field. But just as all of our cyber teams, when I look at the technology that our CISO brings to the plate. It’s partnered and it runs in symmetry with our IT technology that we use to support the business. So technology is a key effort there from a cyber. From an insider risk, our director of risk has the autonomy to select the tools from an external standpoint that we need to bring in as well. So internally, when I rely on the CISO to be that key silo of information and capability for me, They have the ability to set the UAM, to set control accesses, and work, again, in concert with the CIO and their team on how users access, manage, transfer, store information from a technological standpoint. And then from our Director of Risk Management under our security team, That role is positioned to go outside and we can’t do it alone, right? Nobody can in business. Security is a collaboration by all means. And we know security is a high impact supporter to the business, but it’s not the single element to that. We count on our external resources. We bring it in as technological tools. And we know there’s, you have to have redundancy in security. And that’s so well known in our positions, in our areas. Counting on a single point of failure is not a secure posture by any means. So having that those layers of We count on those as well from OSINT monitoring to collecting and managing metrics and capabilities that help drive or help us pivot where we need to go next to meet the dynamic threat that’s constantly knocking at our door and everyone’s door, whether you’re in commercial or government or industrial security. It doesn’t stop there. When I look at that other technological support, if we’re finding a gap or a need, and we don’t have a commercial partner, then I start going to that collaborative approach across the industry. Painting the CSOs that I have a great fortune to work with day in and day out in other companies. We share information. changes and vulnerabilities, or we share needs to figure out who’s having success with what capability. And that becomes an ecosystem of advisory that we’re so readily dependent on, from a technological standpoint.

18:33

Fred:
Mike, you said something, and it’s actually a great segue. You know, in our business today is so metrics and KPIs driven. What are some of the metrics that you use to evaluate the success of your insider risk program?

Mike Smith:
It’s twofold, directly from the insider risk. When I start looking at protective intelligence side of things, and we know that’s an umbrella term, that means so many things from that standpoint. So having a resource, a commercial partner that has the ability to provide you real-time data, real-time metrics, and a dashboard that is user-friendly, comprehensive, and has the ability to not only analyze data and information, but to also display it. So we count on those commercial elements to provide us that protective intelligence side of the data. And we talked about AI, I can talk about that and lighting in the room, so I apologize for the lighting adjustment.

Fred:
No worries.

Mike Smith:
But the metrics from that risk management, most of that we do is the utilization of a capability tool in the dashboard. And then we find a way to bring that into our strategy decision. And then from the cyber perspective, we tie those two things together, because they’re so synonymous in so many ways. We rely on a SOC, a cyber SOC, that produces those same levels of access. It can bring in the internal metrics that we look for that are not OSINT, but internally managed, whether it’s through a corporate network, whether it’s through user access management or if it’s actually from external access management. So we’re relying on that. And then I think the third pillar that’s important to mention would be the physical security metric. Have an ability to measure your physical security controls, accesses of employees, guests, visitors, not only how they’re accessing your physical securities, but those areas that are most critical or prominent to your line of business. It’s good to have the ability to manage those metrics, the working hours of folks. Look for those irregularities and then find some sort of an AI capability within that technological resource to bring it with efficiency to your attention. Long ago, we looked at those hand measuring of data sheets and reports and toggles that would come in from access control. It’s real time information. It’s a delivery to speed that helps us make the critical decisions before we start to see patterns of vulnerabilities develop.

21:06

Fred:
Yeah, that’s tremendous. Now, Mike, I don’t want to put you on the spot, but we ask all of our guests on our podcast this question. So what does the term connected intelligence mean to you?

Mike Smith:
Well, you and I have had a dialogue where we know our time in our respective positions and our roles. And when I think about connective intelligence, I think about a combination of a lot of things. And as we’re in today’s time, it surely has taken on a different meaning. When we looked at OSINT so heavily in the past, in the early stages of my career was HUMINT. HUMINT was just the most reliable and just the first thought of how can we develop this information? But it took time. It took resources of going through checks and balances. HUMINT is still a critical role today. Don’t, you know, don’t mistake my point here, but I saw the balance and and time and adjustment where QMET was a heavy source earlier in national security and intelligence gathering with a reliancy on either an OSINT capability or a technological resource, but they are all independently siloed in different areas. And now in today’s time, we’re seeing that OSINT is starting to move leaps in balance across the range to where we’re coming in to today’s time. And that efficiency, whether it’s through AI, whether it’s through digital transformation, whether it’s through digital analysis, when I start thinking of connected intelligence, it goes back to another ecosystem. I mentioned an internal ecosystem, but now I start thinking about connected intelligence. And it’s bringing in all these different areas and providing the analysis process just a great many more opportunities to use sources of information as they’re coming into this environment. So when I think connected, it’s not a single point of source of information. It’s not a longstanding. I can jump onto a dashboard or capability that we possess. We count on great partnerships out there in a commercial environment, and they start bringing in levels of information that we can’t manage ourselves. We’re so reliant on so many different resources, information, and that’s what I would say helps form a process of connected intelligence.

Fred:
Well, that’s wonderful, Mike. I really want to thank you for taking the time to be on the Ontic Connected Intelligence Podcast.

Mike Smith:
It’s a pleasure to spend time with you and to talk about the areas that are passionate to us. So thanks so much for having us on the podcast today.