hen is the last time you threw a party?
Imagine putting together a small party for ten people. You worked hard to make the event successful. You invite people into your house -- where you keep your prized possessions. The things you find valuable.
The day before the party you learn that six of the attendees will take something home with them. Yes, it's theft. You can't cancel the party.
What do you do?
Seem unlikely? Mike Tierney explains what happens at work all the time with this analogy. Except instead of your home and personal property, they take from the company. Not just the pens (and perhaps a red swingline stapler).
They are stealing company secrets and valuable information.
What can we do?
I talked with Mike Tierney (LinkedIn, @mikejtierney) the COO of Veriato Inc. about some strategies for security leaders to better handle the risk. As with our last conversation (read it here), he didn't disappoint. Not only is he fun to talk with, but he offered three concrete steps you can take today to prepare for tomorrow.
Step 1: meet with legal to translate agreements into plain language
We have policies, agreements, and contracts that govern the bulk of our employment. Most (strive for all) employees and contractors sign agreements when they start working. These agreements cover expectations about the ownership and protection of information.
These agreements are your first line of defense.
If you don't understand the agreement, chances are other people won't either. The first step -- provided these agreements exist -- is to ensure a plain language version.
Work with your legal team to incorporate the plain language into what exists today. As a tip, you can usually just append the translation using the phrase, "for the avoidance of doubt." This is an opportunity to partner for the mutual benefit of protecting the company.
When it's ready (and tested), explain the policies and agreements to people. Use the plain language to ensure mutual understanding. Make it part of the onboarding process. Then review it with them again when they leave the company.
Mike explained that "while these are simple steps, many organizations struggle to execute them well. An easy-to-understand document makes it clear how serious the company is. And makes it easier for employees to comply."
Step 2: visit with human resources to get instant notification of departures
When people leave, you need to know RIGHT AWAY. The conversation is simple. The process is elusive for many.
Start by including HR in the assessment of positional risk during the hiring process. Mike explained how in A reality check for security leaders on insider risk. It involves using a simple scale to communicate priority and action.
Sign up for CIO Asia eNewsletters.