The enterprise information security industry has long discussed the need to refocus InfoSec spending from threat prevention toward rapid detection and response capabilities, but enterprises may need to further rebalance threat prevention spending based on the origin point of the most dangerous threats.
Randy Trzeciak, director of the Software Engineering Institute's CERT Program at Carnegie Mellon University, said insider threats are by their very nature "low base-rate" events, meaning their frequency is far less than that of external threats. However, that doesn't mean the risk can be ignored.
"If a successful insider attempt occurs, the effects can be very large [and] very detrimental to the organization," Trzeciak said. "So many times, I would assume, in our opinion, the security spending is based on the frequency of the events, the number of attempts, rather than the impact to the organization."
In this interview, conducted at the 2014 RSA Conference, Trzeciak makes the case for investing more on insider threat prevention. He also discusses why corporate managers represent an especially high insider threat risk, and the preventive controls necessary to limit that risk.
Later Trzeciak discusses why the building of a successful insider threat-detection program demands careful integration with a broad set of business groups beyond information security. Finally, he admits that preventing an insider threat incident is far from glamorous, but can go a long way toward preventing a damaging security incident.