Strategy to protect the client’s most sensitive assets from insider risk
We developed and delivered a tailored strategy for managing insider risk. For the first time, the company has a well-defined framework for insider risk management, featuring what may be the gold standard in people, process, and technology controls across multiple business functions, along with cross-functional governance.
- Client challenge
- Key KPMG initiatives
- Business impact
- Why KPMG?
After sensitive company data was lost during a large workforce reduction, the company’s leadership realized that its ability to successfully protect critical assets was limited and tactical, primarily focused on an IT-related detection capability. The board of directors recommended developing an organization-wide strategy to manage insider risk for its most sensitive corporate data. When internal efforts to develop a strategy proved too slow, the company turned to outside advisors for help.
Key KPMG initiatives
Unlike other firms that were asked to provide insight into this challenge, KPMG took a rare and altogether different approach. We convened biweekly calls designed to listen to the client, not to pitch or propose, but answering a variety of questions from multiple stakeholders, providing experience-based insights tied to the client’s “trusted workforce” core value, and demonstrating that we had the right people with specific insider risk management experience. At the end of 60 days of relationship-building interaction, we were asked to lead the project—without an RFP.
After three months of fieldwork, KPMG recommended an insider risk management strategy that tapped participation from multiple business functions needed to effectively drive down insider risk quickly. Also included was a three-year execution roadmap to guide continual improvement while controlling spend.
Once approved by the board, KPMG was asked to help execute the first year’s strategy activities, which focused on establishing a cross-stakeholder governance council, working with senior leadership to identify and agree upon the company’s most critical assets, and developing specific insider risk scenarios and the recommended prevention, detection, and mitigation controls.
Subsequently, KPMG was asked to help the client with the day-to-day operation of its evolving insider risk management program.
Today, the company has a strategy which recognizes that risk management is not just an IT issue. It’s a multiple stakeholder challenge, requiring board oversight and participation from senior leaders across multiple business functions, along with cross-functional controls and governance.
Importantly, the new strategy helps reinforce a key corporate value: to have the most trusted workforce in the world, supporting the company’s goal to become the most trusted brand.
The automotive manufacturer now agrees on its most important sensitive data, gaining cross-stakeholder buy in to reduce its critical data types from 500 to fewer than 10.
With our guidance, the company developed three categories of insider threat training—depending on employee access to sensitive data—to reinforce the importance of managing critical assets.
In addition, by providing design input for a proprietary tool to improve detection of insider threats, we helped the company reduce the false positive rate by two-thirds.
Innovation in risk management
We deliver a gold-standard strategy for managing insider risk, based on published standards, leading best practices, and the experiences of KPMG professionals, all integrated into a single, executable framework to meet boardroom expectations.
A range of subject matter professionals for specific client needs
Our team includes deeply experienced cyber security professionals as well as complementary specialists. For example, we bring in organizational psychologists to conduct HR transformation, attorneys who focus on privacy laws and regulations, and professionals with law enforcement and intelligence-community backgrounds to advise the corporate security function.
In addition to delivering a strategy and roadmap, we also develop client-specific scenarios and prevention, detection, and mitigation controls to drive home the immediate impact of insider threats.