ARLIS IRiSS Event Summary
22 July 2021: Insider risk, human resources, and workforce supply chain challenges
This summary was cleared for open publication September 8, 2021 by the Department of Defense Office of Prepublication and Security Review.
Download a pdf version of this summary here.
In this event, ARLIS featured three guest speakers: Charles Phalen, Heather McMahon, and Kevin Lawrence (speaker titles and bios appear on the IRiSS website event description). They responded to a series of moderator questions they received in advance along with and real-time questions posed by the event attendees. This summary is a high-level overview of responses to those questions. Following is a list of the question themes to help illuminate interests from the attending community. To help shorten the summary length and distinguish responses from the speakers and attendees, contributing conversation from the ZoomGov attendee chat is omitted.
A successful Insider Risk program does not operate in a vacuum and accounts for the whole workforce lifespan from hiring to separation. This becomes increasingly apparent during periods of hiring and continuous vetting. Such processes benefit from deliberative, proactive, collaborative engagement between HR, legal, security, employee relations, and other relative departments and stakeholders. This engagement should have buy-in from top leadership and is useful to help develop an organizational culture of security and reduce workforce alienation.
Insider Risk, hiring, vetting, and other workforce processes should adapt to account for social and technological changes. Collaborative planning and being intentional, such as recognizing the need for increased diversity, can offset adaptation difficulties. Obtaining useful information for hiring and continuous vetting remains a major challenge, which is social rather than technical, despite access to potentially large amounts of information, such as online activity; however, AI/ML may offer sorting solutions. Many opportunities remain in the workforce supply chain and Insider Risk nexus which can be leveraged through collaborative planning, early intervention, and intentionally improving trust within the organizational culture.
Being successful with insider risk with respect to hiring and vetting within our workforce supply chain is like the rest of an insider risk program. It asks the same challenges to prove a negative, prove risk elimination, and minimize false positives. Understand that risk is to be managed and accept that eventually something will eventually happen. A successful insider risk program requires leadership and governance buy-in across organizational structures. Collaboration and trust open pathways to reduce risk and reduce workforce alienation. Insider Risk and risk management, rather than Insider Threat and finding the people doing bad things, is one step toward reducing that alienation. Together, develop an executable, periodically reviewed plan to mitigate a spectrum of risk and capacities for change. Include scope evaluation, relevant sources and sensors, regular clearance reviews, and have a plan to deal with risk problems. A successful program manages risk as a word problem, not a math problem, and carries through the whole lifespan of the workplace from hiring to separation.
Our current systems for insider risk with respect to hiring and vetting are at a crossroads which affect how well we manage risk. Soviet recruitment of US personnel forms the basis for our current system and the 13 adjudicative guidelines. However, the risks have changed; society culture and technology have all changed. We know these changes happens, but adjusting our established systems is difficult and takes a long time, particularly due to high risk aversion, pace of current demands, and an increasing scope. The 13 adjudicative guidelines still offer good parameters for vetting processes and identifying needed information, but the system is cumbersome. Obtaining indicators of carelessness or negligence which can decay over time remains a serious challenge during investigations. The issue is social, not technical. Other people may be hesitant to share, and single source intel is insufficient. Information from outside workplace and recorded spaces is even more challenging. We must incorporate other information. Yet, one challenge is how we include such information, like social media or recommendations, given potentials for accuracy, bias, and misinterpretation. The size and scope of additional information further complicates finding that which is helpful without drowning in data. On the upside, people don’t join organizations to betray trust, it decays over time. Places like ARLIS are important to help us think differently about measuring and processing such changes in more effective ways and increasing trust within the workforce to do what is right in increasingly complex situations.
Opportunities exist for greater communication and other improvements between hiring managers, personnel vetting, and counter insider threat/risk people. These professionals have difficulty talking to each other and working together, in part as many have different perceptions of their responsibilities and authorities. Current interactions here also largely differ by sector. Private companies may not have access to information available to government, such as arrest records, which change how investigations occur. Internal coalitions across company departments (HR, legal, security, employee relations, etc.) can help information gaps, discuss vulnerabilities, and address information sharing hesitancy. Recurring group discussions build relationships to review hiring process observations, share struggles, develop frameworks to improve vetting and Insider Threat/Risk management program. These groups should have key personnel in different departments for continuity, collaborative sustainability, and access. The DoD struggles with these efforts; feedback loops are not always effective, and communication is largely limited by cultures of program authority and screening knowledge is limited based on training scope, such as with military recruiters. Overall, there is a need for more preventative, proactive communication.
Not hiring individuals, whether as an active choice or result of poor screening functions, is a workforce challenge. Vetting and other processing time is very important to avoid losing candidates along the way. Screening modernizations make the hiring process simpler and faster, allowing for more diverse perspectives and engaging individuals with unique background and skillsets. This diversity further improves understanding of individual risk and feeds back to continually improve background screening attract more diverse candidates. We must think differently and deliberatively to set new hiring paths and processes. For example, a Harvard study found that non-violent felons with waivers to join the Army on average performed better than their counterparts on measures such as medals and promotions. Yet, there remain situations where hiring individuals with criminal convictions can lead to losing certain contracts.
Hiring large groups of people in short periods of time can present their own challenges. Ability for large hires is a function of company resources. Smaller companies may use other companies’ contractors, thus relying on others to do the vetting. This can be offset by establishing supply chain risk management working groups, with an Insider Risk liaison, to vet companies with contractors and help those companies with vetting processes, create internal NDAs, and establish a security incident vendors model. Regardless of company size and resources, do not cut corners in the vetting process, even with large hiring needs. This corning cutting by the Washington, DC police hiring in the 1980s which saw many bad cops hired serves as an example.
Avoid looking for “ah ha” reflection moments as silver bullets of what HR could do differently with more education by an Insider Risk team. Instead, rely on early intervention, incident reporting, and organizational memory to help find and fix an issue before something bad happens. Don’t dismiss individual behaviors out of hand and instill a culture of not being a bystander. Build trust within the whole organization to help reduce perceptions of Big Brother. Use collaborative hiring groups to overcome cross-group knowledge gaps, such as HR often lacking knowledge of cleared vs. uncleared personnel needs.
Many recent studies show that Insider Risk events are caused by non-malicious employees. More training is not always the solution. Find approaches that find those employee populations. Keep people aware of what mistakes look like as negligence remains the largest issue. Use advances in technology and revamp antiquated systems so that such mistakes and carelessness are not as damaging to organizations.
The line between adequate due diligence and overly suspicious or intrusive vetting and monitoring of potential and current employees may be seen differently depending on organizational culture of security. Moving increasingly toward Insider Trust could affect what security actions are conducted and perceptions of those actions. What is considered being “overly” here is contextual on the individual and the need. The more we can clear false positives and reduce white noise, while expanding our net for relevant data we can sort into useful information, the better we can narrow on behavior and indicators. AI/ML can help with this.
Moderator question themes
- Being successful
- HR + PV + CI communications
- Challenges with not hiring
- Large or rapid hiring
Attendee question themes
- Ah ha moments and education
- Non-malicious activity
- MOEs for initial & continuous vetting
- Line between adequacy & overreach