How does an IT security company ensure its own employees don’t pose a risk? With insider threats on the rise in companies, close collaboration between HR and info-security departments is key, according to Forcepoint CHRO Kristin Leary.
It would not be the best brand advertisement if an employee at an IT security company managed to create a breach that meant employees’ or customers’ data was exposed, or managed to launch a crippling virus onto its systems.
Employees and security
That’s why security is not just part of the product set at US software company Forcepoint, but also central to its employee culture. “We always have to consider: is this person trying to get into a high tech role to do damage to our customers or employee base? All of our managers get detailed training on what to look out for,” says Kristin Leary, the company’s chief HR officer (CHRO).
This starts from the very beginning of the employee cycle, she adds. “When we’re looking to bring people into the business, we look at their career trajectory. Have they been with their former company for years or have they jumped around a lot? There may be a reason for this, but you dig into this through questions.”
Managers are coached, for example, in how to incorporate asking questions around potential risks in recruitment interviews.
Leary says: “It means interviewers need to go beyond the cheap and cheerful – applying a security lens to what they ask, but doing so in a way that makes [the candidate] feel comfortable and respects their privacy. It also pays to look at what they ask you – if they’re obsessive about whether they’ll be monitored, or the websites they can use, it’s maybe time to pause.”
Once they join the company, employees are encouraged to air any suspicions about colleagues’ behaviour, even if these turn out to have no foundation.
“So if we receive troubling or irregular data from a co-worker, we let them know how to report it in a safe, non-judgemental manner,” she adds. “For example, if someone notices that their colleague’s email exchanges have become more agitated, we encourage them to share their concerns rather than think ‘well that’s just them’.”
Workers can do this through a number of channels, either via HR, anonymously, or by speaking to the company’s chief information security officer (CISO), with whom HR works closely. “It’s about creating an open culture, not one where people are fearful of their employer. It may just be there’s something we can help with in their personal or professional life, rather than something harmful,” says Leary.
Forcepoint uses its own technology to monitor potential risks but is open with employees about how it does this, she adds: “We let them know what we look out for so it’s transparent – we’re not trying to stop someone having a look at the Black Friday sales – but reassure them we are trying to keep them and our customers safe.”
Last year Forcepoint acquired RedOwl Analytics, a security platform that shows up any anomalous interactions or access points from employees across the systems and devices they use. This means the company can now better predict risk as well as deal with it, “scoring” employees on the likelihood they might cause a security breach.
If they’re obsessive about whether they’ll be monitored, or the websites they can use, it’s maybe time to pause.”
“It looks at patterns of behaviour, websites they visit, the language they use in emails. Combining data sources together can be really powerful in terms of predictability,” Leary says. “We’re also working with our chief scientist to look at what data really helps to build a story on a person, and how we can gather this while protecting people’s privacy too. Some data can muddy that picture, so you don’t want to gather too much.”
Growth and risk
One of the challenges for HR at Forcepoint is that, as a growing company, it wants to foster entrepreneurialism but at the same time mitigate risk. “You want to innovate but you don’t want to encourage reckless behaviour, and serial entrepreneurs jump around so fast. What have they done with data as they’ve moved around other businesses? Have they posed a risk? If the only thing you have as a business is your data, it takes just one rogue employee and you’re screwed.”
A central part of maintaining its open culture is working closely with IT, legal and security teams. “I don’t know many CHROs who have this level of collaboration, but you need it for an effective cybersecurity programme,” says Leary. Different perspectives on employee activity can help to build the right response, she adds.
With insider threats becoming one of the biggest risks posed to businesses, Forcepoint’s collaborative approach to keeping its employees, customers and data safe seems to be a successful one.