Here is a quick one on INSIDER THREAT. Deep down, we all know that nobody cares about the insider threat. Well, not literally “nobody”; few organizations do care about their insider threats [and, yes, those who genuinely care tend to care a whole lot, granted].
Now, many say they do care (a great example), but, frankly, I don’t think they spend money on it, hence their actions scream “WE DON’T CARE!” while their words whisper “eh…we …eh…care…maybe!” Off the cuff, we may get 50 malware calls for every 1 insider threat call, based on my purely unscientific impression of available data. Meanwhile, one may argue that insider threat is mostly about process than tools and so the spend is less visible, to which I say: try building a robust, mature process without spending lots of money – or time.
On the other hand, many organizations today are starting to care about the threats that are already inside (malware, attackers who hacked in, etc). Funnily, some security vendors market “insider threat solutions” to those people – thus creating hilarity (like “sandboxing to catch insider threat” or “top exploits used by insiders”…huh?)
To reduce this confusion, maybe we can think about this like so:
- THREATS INSIDE – drive spending on UBA / UEBA, traffic analysis (NTA), SIEM, deception, lots of other tools, etc. A BIG DEAL!
- INSIDER THREAT – drive almost no spending (as per our research, <10% of security budget). For a small number of organizations, this is a big deal too. For most others, this is a “meh!” issue.
Blog posts related to this research:
- Our “Understanding Insider Threats” Paper Publishes
- Insider Threat: Does It Matter Now? And How Much?
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.