Blog
/
Insider Threat

What I learned about insider threat from Doug Thomas of Lockheed Martin

Content
John Dillard
Published
September 16, 2020

Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog.

If you want to learn about counterintelligence for industry, you'd be hard pressed to find a better webinar guest than Doug Thomas. Doug is the Director of Counterintelligence and Corporate Investigations for Lockheed Martin. His wide-ranging career makes him one of the most influential counterintelligence and insider threat practitioners in the country. Below are the 3 lessons I learned from my conversation with Doug.


Thomas Webinar - Mobile-png

1. Insider threat organization and governance is critical

You might have heard of Lockheed Martin; they are a pretty big company. You would expect that their insider threat organization would be robust and well-organized, and it is. However, Doug drove the point home that middle market companies can and must be connected to leadership and establish clear functional accountability and communication to work. That means:

  • Centralized commitment and leadership with decentralized execution
  • Structure that drives coordination across cyber, security, human resources, ethics, legal, and communications
  • Oversight that connects to the corporate board, internal audit, risk & compliance, and regulatory requirements

Our adversaries know this, which makes it even more important that mid-sized companies organize and operate their insider threat program effectively.

2. Insider threat is broader and deeper than you think it is

When many of us think about insider threat, we think about NISPOM change 2. Or maybe we think about behavioral analysis on our corporate network. Or maybe we think about foreign travel and contacts. These -- and many other angles -- are all correct but individually insufficient. Insider threat isn't just an IT problem or a security problem -- it's an interdisciplinary focus that demands communication and coordination from everyone. That includes:

  • Planning - building buy-in from leadership, benchmarking peer companies, and understanding the many stakeholders to an insider threat program
  • Development - selection of the right tools, understanding risk indicators, identifying assets (physical and conceptual), and identifying the many data sets where that information is stored
  • Implementation - Ingesting that data into tools, messaging to employees, and managing incidents
  • Governance - coordinating departments, conducting oversight, measuring progress, and red teaming the program

3. Communication and trust drive participation

Throughout Doug's talk, he came back to a critical, often-missed perspective: without transparency and trust, insider threat programs won't work. Employees that don't trust the program won't participate. Departments that aren't bought in will ignore it. Insider threat is about people. Introducing your program to employees properly, and providing absolute transparency in how you are conducting your program ethically, is of utmost importance.

If you missed Doug's webinar you can always head to our resources page to view the recording, along with many other great speakers and tools to help you succeed.

ThreatSwitch puts employees at the center of your security and insider threat program.
Schedule a demo to find out just how different we are.

SCHEDULE A DEMO

Full Transcript:

John Dillard

OK, good morning. Oh excuse me good afternoon everyone. Thanks for joining the next in Threat switches series on insider Threat. We are delighted to be talking about 11 lessons from Lockheed Martin's Insider threat program and to help us talk about that. We have the director counterintelligence operations incorporated investigations at Lockheed Martin and Doug Thomas, who I am delighted to have on the call I'm John Dillard. I'm the founder and CEO. Threatswitch and for those of you who don't know us, we are a company that provides software to help companies manage compliance with things like insider threats CMMC and NISPOM And help you reduce the cost of doing it. So before we get started I just want to go through a few administrative things. First and foremost, really happy to everybody here. We have a phenomenal turn out which is not surprising given Doug's expertise. If you'd like to ask questions at any point during the webinar, please use the Q&A feature.

Uh, in the web and our tools you'll should see at the bottom of your screen and if you put those in will be sure to get to them. If we can't answer him during the webinar, will be sure to try to get back with you after we have a lot of ground to cover so we will do our best to get every single question answer. As a reminder, this web and R is being recorded.

Or recording in the copy of the slides will be shared with you and will be made available via our website. So if you know a friend who couldn't make it, don't worry. There will be slides, an recording to pass along with that. I would love to introduce and fast things shortly to Doug Thomas a little bit about it Doug. I got the opportunity to meet Doug Fairly recently, although.

We have a common connection. The Insider Threat Subcommittee on in. So which I'm also on an. As I mentioned, Doug is counterintelligence operations in corporate investigations director at Lockheed Martin. Prior to that, he was the principal deputy Director of Counterintelligence, spent 25 years with the Air Force as a special agent. So he's been around many sides of this issue. He established and shared.

The group that I mentioned in says Insider Threat subcommittee. He's on the Board of directors for the International Association of the Chief Police and it as if that were not enough. Doug was fairly recently, 2018 honored with the first ever Lifetime Achievement Award for Counterintelligence by the Director of National Intelligence, so.

Doug has been at the center of counterintelligence conversations at the highest level of US government. For sometime. He knows his stuff an I AM for one. I'm extremely excited to hear about how he's worked in Lockheed's program and what we can take away from their program for industry. So with that I would love to hand things over to Doug please take it away Also, what you want tells.

Doug Thomas

Hey great thank you John, I appreciate it.

So what I'm going to do today is I'm going to talk a little bit about a way to stand up and execute a program. It's not the way, but it's a way. So how I approach this problem set an the way the slides are patterned if you will, is I given a lot of presentations over the last 6 seven years on this topic.

And the way they slider setup is, it's really answering those questions that have been posed over the last six or seven years for us. Just know one size does not fit all size, certainly influences the program the company support and culture. But programs are scalable, so this.

Presentation I think.

Impacts or can be used by small, medium and large companies.

Before I start, I remember giving presentations while at the DNI, right around the time where.

All 73 federal agencies more mandated to stand up an insider threat detection program. And I remember the comments at the time and that was.

Is this the flavor of the day?

And what I'm here to say is, no, we're trying to mitigate an ugly trend trend that just keeps on going. So you Fast forward it today. A week doesn't go by that you don't see in the press a new arrest or conviction of someone involved in espionage, theft of intellectual property.

OK, so let me start the presentation on this slide.

You can see the way my office is set up is we have a counter talents program and investigations program, general investigations. And really what I want to dwell on today is the insider threat, but this program? It's kind of talents. It's insider. Threat detection is due diligence to the supply chain.

It's taken care of the Chief Technology Officer on the General investigation side, it's.

Typical investigations fraud assault stuff like that. The reason why these 2 are in the same office. If you will is there's a fair amount of synergy between an insider threat program and of course, kind of tell us but insider threat program as well as general investigations and I'll go into that in a little bit more.

If you go to the next line, please Christian.

So no time spent on this chart whatsoever. This just depicts our organizational structure, where it's a centralized mission for sure, but decentralized execution. Our corporate headquarters, which is why I said, sets the tone with the priorities. But the collaborative effort with the business area leads and the Computer Incident Response team.

Is a constant.

So just to level set to make sure we're all staying on the same sheet of music. This is the definition we use in Lockheed Martin. Where did we come up with this? Well, about three years after I retired from the government, director Clapper asked us not like in Martin, but the inside Insider Threat Subcommittee to look at the definition of insider threat.

Because the one that was in the executive order was pretty myopic. It was about people with clearances and classified information, and we know that that problem set is way beyond classified information. People with clearances. So we came up with this definition and we socialize it with you. SDI and we socialize it with the CSA and DNI and the FBI.

And they all liked it. It hasn't been changed in the executive order yet, although I have seen it in the NDAA word for word. What this definition does is it expands the definition to include sensitive information so that that could be intellectual property. But it also includes workplace violence on the scale of a Nadal Hassan or an Aaron Alexis.

And why is that? Well, this is all about access. This is people who have access to information, facilities, networks, people, resources. They are an insider. When they have that kind of access. And if you think about it, every company does some form of due diligence before they let somebody have these accesses.

Well, once you give them access there and inside, they're not an insider threat, but they have access, so that's why we change this definition the way we did.

So I like this chart. I mean this is the one that a lot of people have asked me a lot of questions about over the years and that's why we built this chart the way we did. This basically walks you through our journey. This single chart answers the vast majority of questions I've received over the years regarding the stand up and the execution of the program.

Um, I'll tell you. Standing up a program is not the long pole in the tent. There's some things that you gotta hurdles. You gotta jump over, of course, but that's not the hardest part. There's a vast amount of data out there that speaks to what a program should look like to me. The long poles in the tent are senior leadership. Buy in.

Securing access to the data you need to have an effective program execution of the mission with that. It's also about hiring the right people, so I get asked a fair amount of.

Times you know well, where did you find your staff and a lot of people don't like my answer, so I don't. I hope this doesn't upset anybody, but if you're gonna have a robust and effective program, you probably need to hire people who are skilled and experienced and trained.

In Canon Towns, an insider threat detection well there is no solid training.

Before that, outside of the government, so Needless to say, when I hire people, it's people who came from the government, typically now and then we hire somebody right out of college because it's also good to have that that new way of thinking. But we put them underneath the wing of somebody who's got.

A lot of experience, so going left to right the first column.

Uh, selling the leadership so that that was interesting, because when I came to Lockheed Martin, they didn't have a kind of intense program or insider threat detection program. So as me getting in front of the leadership, talking to them about their shifting threat landscape and what I meant by that was. So when I was in the government I had access. I had phenomenal accesses to me. Double Asian operation.

Congressman Investigation offensive operation in the in the entire community and what I saw was a shift from nation states away from their 100% dwelling on trying to penetrate CIA or FBI or State Department or DoD or DoD. And it was a shift.

Towards now, focusing just as much on penetrating corporate America, couple reasons for that one. corporate America is a soft target compared to the federal government.

Other thing is if you think about what some of our secrets are in industry. I mean it helps you pad your economic woes. OK, because we're if you steal our intellectual property or our research and development data, it might give you a jump start relative to.

Taking the next generation widget to market. Alright, so there was a couple of reasons why they shifted. Plus I mean government is a kind of a hard target. Although I say that the government is never not been penetrated in the in the entire time. The IC Intelligence Committee has been, uh, alive and well. It's always been penetrated, so but it is a harder target than industry.

So we did some pure benchmarking because I knew we wanted to stand up a program and there at that time there were 13 companies that advertise that they had insider threat detection tools. So my staff and I went to visit those 13 companies and what we found was none of them had what we needed. All of them had what I thought were pretty good. Data loss prevention tools.

But none of them had what we need, and at the end of the day, what we needed was something that looked at the human behavior and in digital behavior. So we end up delaying a robust program because we had to build the programs, build a tool in House, which I is the last thing I wanted to do.

On the 3rd part down there, identify stakeholders. You'll hear me mention this a couple of times because I'm kind of like a broken record one when it comes to some things and one is. This is a team sport, so knowing that we were asked to write a concept of operations of what is this program and what isn't this program and one of the things we did is we identified the right people within legal privacy, HR.

Communications ethics an information security to come up with a concept of operations that was legally sign in regulatory sound that describe what the functions actually are and what we aren't going to do with it. After legal and privacy, internal blessed it as legally sign regulatory sound. We took it outside counsel.

So they could take a look at the conops to say Yep, or an agreement this thing solid.

The other thing that we did is we had like I said we had communications on there and they helped us greatly with a communications plan and I'll get into that a little bit. You move over to the second column development. So like I said, we knew we had to build our own tool. Why do why do we need it too? Well at that time we were 140,000 people.

So you're not gonna have an office large enough to have a robust and effective program if you don't leverage technology. So that's why we had to go get money. Beg for money if you will to build a tool. Next thing we did is we established what we call a potential risk indicators. Some people call them red flags or triggers.

Once we identified our potential risk indicators, then we made a subjective decision of how we would wait those Pris next thing we had to do is OK. Where is this data in the company? OK, it's amazing how much data companies and government agencies collect on their employees and it just sits there OK?

It's built, it's in desperate databases that never talk to each other, but the data is probably already in your company somewhere, so we had to identify where that data was, who the data owners were, and then we had to convince them why it was in everybody's best interest to work with us.

On developing this program and I can tell you right now it didn't. It didn't start off all that well. Quite frankly, it's a crawl walk, run approach, but eventually we got to everything we wanted. The other thing that we did is we identified our companies critical assets are critical personnel who work on those critical assets. There is a little bit of pain along with that, quite frankly.

Because when you ask the question about Chief Technology Officer, what are critical assets you know you're gonna get a laundry list? That's about 1000 things on there. If you're a company this size and quite frankly you don't have the bandwidth to actually manage that kind of, uh, a list of critical assets. So you have to have a discussion with them of what's really critical.

Moving over to 3rd column implementation, this really is where we started our messaging and I'll tell you a story real quick so.

We've built the program. The tool is done. That data is in the tool on every employee and we're getting ready to turn the tool on an begin our program. Well, our CEO wanted us to make sure that we were messaging correctly to the employee workforce relative to this new program. OK, we've been telling him for the last couple years. We're building the tool.

What the threats were and what to do about those threats. But now we also need to make sure they knew that we had a dedicated kind intelligence program and a robust insider threat detection program. So one of the things that we did is we are office crafting up a paragraph that would go out from our leadership to the workforce that essentially let them know.

About this program. Not the weeds of it. Certainly not our potential risk indicators, but the fact that we had a program. Now we're going to be focused on and communications suggested that we have a focus group. Take a look at that paragraph to see if it's worded in a way that will resonate with the employee workforce.

Or if it will irritate them in any way whatsoever, and lo and behold, that was a great.

Decision on communications part because there was a word in there and I never even thought about it. 'cause again, I came from the government, so I'm not really the softest approach when I'm in the government and what that word was is we had in there that people should report.

You know XY&Z well the focus group again, that focus group was made up of.

People in anywhere Between 25 years old and 70 years old there from legal, there are scientists, engineers, HR, security information security there from all walks of life quite frankly, and they came back to us and said, oh so you want to create a culture of snitches. You want to report on each other. Well, that's not the message that we wanted to go out.

So we don't use the word report. We use the word engaged and then why do we use the word engage? We want employees to be engaged in this program for their sake for their coworkers, sake for national security sake and for our brand and reputation sake. So it might sound like a small thing, but.

Quite frankly, when the focus group came back with that change and explained it made great sense to me and so I think words matter. How's that go over to the 4th column? Misgovernance this to me is a big deal and I'm going to bring it up again later because I think it's I think it's.

Worthy enough to repeat a couple of times When you roll out a message to your workforce that you have a program like this, that is certainly not arguable that it's intrusive. OK, you've got to let them know that it's in line with your Laws and privacy rules. But you also have to make them feel comforted that it's in line with their corporate values. And that's a very hard thing to do. But if you have a governance structure like I've demonstrated on this chart where you've got a steering committee at the Senior Vice President, Vice President level

You've got an oversight internal audit, risking compliance committee. The Board of Directors is briefed every year. It lets the workforce know that this isn't just some rogue office. This is an office that has a lot of oversight, so it must be being executed within our corporate values. That's important.

The other thing on here is Red team. I have the program Red teamed by real experts to make sure that the tool itself is not penetrable, because if you think about all the data that's in that tool and how sensitive that date is, we've got a strong obligation to make sure that that data is never lost.

The tool we call it risk analysis and mitigation system. It's internal. We don't sell it, it's just ours.

An the program what it does it evaluates every employees, attributes, actions and behaviors 24/7

The bullet that I have.

In bold and capitalized to me is the most important bullet. On this chart, we don't profile people. We profile behavior. All the data that's in the tool is anonymized, so the analysts, by the way, really have four analysts for over 100,000 employees. That's how powerful the tool is. I mean, still.

Requires a human being to analyze the data, but that we rely a lot on the tool. But the profiling thing is important because what you can't do is send a lead out because Doug Thomas is born in Country X or he has a last name of something or the color of his skin. Is this so the analysts have no clue who they're looking at.

Initially, because all the data is anonymized in the tool, so that's why I say we don't profile people for profiling behavior.

Another selling point to a robust, effective program is when executed well.

Is that it goes beyond the traditional insider threat, meaning espionage or the theft of intellectual property. We really have had some great successes with suicide ideations in workplace violence with this tool. And if you think about it, this kind of why we merged investigation and counterbalance under the same office.

Is because if you think about the concerning behaviors of people who are considering suicide or people who are considering workplace violence on a significant scale and those people who are considering espionage after locking Martin proprietary information, there are some similarities, not exact.

But there are some similarities. A lot of it has to do with stressors and people becoming disgruntled and things like that. So that's another outgrowth of a program like this.

If you could go to the next slide, please.

So I'm going to let your imagination run wild on the kind of data we collect and analyze.

'cause again, that's kind of our secret sauce. We don't go into great detail about these specific data if you will, but what I will tell you is that at the end of the day.

We have a human behavior and a digital behavior baseline of every employee in the company and what we're looking for is anonymous or not.

Uh, a typical behavior? Anomalous or atypical behavior? Now the program smart enough to know that I could compare Doug to Kristen or Doug to John, and it can do that if you want it to. But what I prefer the tool to do is compare Doug I've got his baseline.

In the tool and I'm looking for things that are atypical. Now there's a lot of times a typical behavior happens that's not concerning. OK, so think about the data in the tool. All the data in the tool is objective data. There's nothing subjective about the data itself. The subjectiveness of the program.

Are the potential risk indicators you collect.

Or identify the weights you assign to it and then the other subjective pieces. What do you do with that when the tool tells you there's a typical behavior 'cause not all atypical behaviors concerning behavior?

So let me give you a couple of case examples and it of course I had to.

Not, I'm not gonna use names. I'm not even gonna use that kind of weapon system that we're talking about or the location. But I do want to talk about a couple of case examples so.

We had a a subject who received a complete competitor recruitment letter with a job offer.

And this person Was on our radar already. And so when that letter came in for him, a job offer to go work for a direct competitor.

We took a look at OK. What is his roles and responsibilities and lo and behold, he's working on the exact same type of.

Weapon system that that direct competitor is working on. So now that got us a little concerned. OK, it's OK to go to another company. There's nothing wrong with that. In fact, it's sometimes it's even encouraged, but when we see someone who gets a letter from a direct competitor and they're working on the same kind of.

It's just we are. It makes us stop and pause for a minute. So then what we did is we saw him.

Download 49 files. Now you can have the best data loss prevention tool in the world. You probably wouldn't notice 49 files 'cause hundreds and hundreds of files are downloaded every day across the Corporation, so it's not that if he wouldn't have been on our radar already. I don't know if we would have seen that kind of a download, but what happened is we saw the download.

We immediately contacted the supervisor.

To see if he could take a look at.

The data to see how harmful it would be if it went to this specific direct competitor, and so the subject, and so he got subject matter experts together to take a look at the data. And they did this in about 3 days. I mean, it's actually pretty remarkable. Get in. We're talking about a small set of data files. It's only 49 files, but their assessment was.

Pretty interesting, their assessment was and again the my office doesn't do the assessments and they don't do the dollar figures OK. The assessment was. Had this been compromised at this company it would have caused grave harm to our company and the cost or the values they put on that data was 2.5 billion dollars.

Billion dollars OK?

Now there's ramifications that go along with something like this, so the guy was interviewed on why he did what he did. He lied. He said he didn't do any kind of a download like that. He lied about the job offer. Yeah, well, we already have all this stuff, you know. Finally, after denying it after six or seven times, he confessed.

And he actually confessed to, yeah, I was taking the data to prop myself up with this next company. OK, So what are the ramifications? So some people say well, did he get prosecuted well? You know that's not a goal of ours. Quite frankly, it's not necessarily a bad thing, but it's not necessarily a good thing either. The ramifications of this was.

We got the data, the data never left. The gaming company received a letter from legal letting him know that, hey, you're made a job offer this employee. He's being terminated from our company and you're on notice. Now, if he uses any of our data, you know you have a problem to your company has a problem.

Um, other things that happened is he added Clearence, so of course we notified the government and you know they.

Put a red flag on it. They stop, this learns.

So those are pretty strong ramifications for doing bad NIS right? And again, it's not just about prosecution. Another case we had same year.

Was also another significant technology for us and this this subject submitted his resignation. Gave two weeks notice and we've done a very good job of training awareness to the workforce, especially people like HR business Partners, because they see and hear everything, it seems like.

Well, we let our HRBP is know that hey depending on the person and their accesses, access does not equate to clearances. OK access could be critical assets depending on their accesses. We're interested in some people who might be leaving and the reason why I say it like that.

Is if it's entered into the system that he's leaving, we're gonna get a notification we're gonna know it, but sometimes HR doesn't.

Enter information into their system immediately. OK, but this HR business partner came to us and said, hey Doug Thomas is getting ready to leave. The company just dropped his two week resignation notice and he's getting ready to go to company X. Another dry competitor, by the way, so that got us thinking so we did did more due diligence on it. And we watched him, and sure enough.

He tried to download a bunch of data a lot more than 49 files. Again, he denied it when we approached him later he finally admitted it.

And he said he was going to take it to the next company. So his nice confession if you will, is immediately placed on leave and was physically exited from the company.

Uh, again letters to the company hit the gaining company about what he did and putting them on notice that they use any of his data. So now in this case and the case I just described, those companies elected not to hire their people. Those people they didn't go through with it. Which makes sense alright? Next line, please.

OK, so like most companies.

We collect and report an awfully lot of metrics. You know that's just So what piece? That's the result? That's what makes us tell gives us the ability to tell stories to our senior leadership of what is it? This office actually brings to the table. So these are the categories of metrics that we collect.

On a pretty regular basis, we brief it quarterly to our steering committee and we brief at annually to our Board of Directors.

Um, I mean, the numbers are unbelievable. Quite frankly, you can go to the next slide, please.

So I warned you that I was going to come back to this chart or the topic of governance only because I don't think you can overstate the importance of a good governance program over a program like this. I mean, 'cause. If you really think about what this program does, it could very much be interpreted.

As pretty intrusive. OK, in fact I had an ethics officer who sat on the konops build with us who made a very good comment to us and that was just because you can do something, meaning it's legally OK to do it or regulatory. OK to do it. Just because you can do something doesn't mean you should do something OK.

And that has resonated with me greatly because I think privacy is a big deal. So what? I don't want to do is overstep that privacy.

But going back to the governance structure, I really like this because although there's some pain that goes along with having this strong oversight over you on a regular basis, I think I think it makes our program and the execution of our program better. For instance, I invite an internal audit in.

To audit our program on an annual basis. OK, who does that? Because it is a painful process quite frankly, but it it helps us. The people executing the mission us in the business areas, executing the mission, and it helps the leadership understand that hey, we are executing the mission.

Based on the concept of operations, so I think that's very important.

So kind of like governance. I said I'd come back to the communications only because I think it's I think it's an area where people don't cross their T's and dot their eyes. It's not just about a tool that data and executing the kind of talent Insider threat program. It's also about good governance.

And it's also about communicating with the employees. We spend a lot of time on training and awareness of our workforce, making sure they understand what the threat is is not just a threat against the company and the company. Information is also a threat against against you personally. OK, so we focus a lot on training and awareness.

I will tell you that I think our training awareness program has actually stopped some bad behavior because people aren't as reluctant to come to us and tell us about things that are concerning that they're witnessing.

So this is my last slide.

And so you can breathe a little easier now. I'm almost done. As I reflect on our journey. These are the lessons learned for us, and they're not in any particular order but the first one. You really do need to invest in time and work an efforts with developing a relationship with their Chief Technology Officer.

To identify what your critical assets are and who's working on those programs for me, I view the Chief Technology Officer in our company as my number one internal customer. If you think about what their role is, they're given a boatload of money to do research and development and studies an analysis.

On the next generation product. OK, so like a company like Lockheed Martin, we're already selling things like the F35, so what's the next generation product? So he's looking at things 1520 years down the road. That might be the next widget that generates revenue and jobs and helps our brand and reputation.

So that's why the Chief Technology Officer is pretty important to me. #2. Just because you survived a presentation to your senior leadership on the need for an insider threat program, does not mean that the messaging stops there.

It's important to collect the right metrics and be able to tell a story that makes him want to hear more. Makes him want to support the program, so I mentioned that I briefed the Board of Directors on an annual basis, no, but in our company gets in front of the Board of Directors. That's kind of like sacred ground. Well, we briefed them one time on on the fact that we are standing up a program like this and I guess it sounded sexy enough.

Well, they wanted to hear more about it as it evolved, and ever since I've been doing it, they keep wanting it to come back on an annual basis. So that's really good support. The third bullet there. I would just say have patience building your program.

As I mentioned before, this call walk run effort, you're likely not going to get the data you want or the resources you need at first go slow. Have some minor wins, prove the concept if you will where we are today, certainly is not where we were seven years ago with this program. Before I had to beg for data.

To enhance the program now.

What we do is, we think of new data that we're not even. We haven't been getting 'cause we haven't been saying it now. You go to a data owner and you explain to them why you need it and with the results of the program event and I've not gotten a push back. I mean, it's amazing to me the 4th bullet to me might be maybe the most important bullet on here, and I've already mentioned this before, but this is a team sport.

So sometimes I did ask the question of, well where does your office set? Is it in the CIO office as an illegal? Is it in HR? Is it in security? You know what? It doesn't matter it be. It depends on your culture. Quite frankly there isn't a right answer as to where this.

Capability should sit. The right answer is that it's a team sport. You better have cyber onboard security, HR, ethics, legal and communications on board. And now I I would also add the Chief Technology Officer, but if they're not on board, you're not going to have a robust program because it takes all of those people.

They make this program really successful, and sometimes that's hard, so continual coordination with the general counsel. I have our chief Privacy Officer on Speed dial. That's how close our relationship is, because as I mentioned before, the execution of program, it's critical that it's executed in a manner that.

Is takes privacy into consideration? So for the companies that I'm out addressing right now, if you have employees at work, overseas dot TDY, not on business travel but work overseas, you have to abide by every country's privacy laws. So like in our tool.

It knows that Doug Thomas works in the UK or Canada or Australia. It knows that, OK, the tools designed like that, so the analyst can't readily see Doug Thomas is information because he's overseas. So what has to happen is based on whatever concern we might have that wasn't generated by the tool. We have to write up a justification to the Chief Privacy Officer.

To let them know that hey, we're interested in dark times, we'd like to look in the tool to see if one of the concerns there might be in there, and then he'll make a legal decision more. It's actually, it's less of a legal decision, more of a risk decision on whether or not we can look in there or not.

The next bullet is our internal audit. I've already talked a little bit about that. I think that's important that audit comes in and ensures that we're executing the mission based on the concept of operations. I've really beat to death the communications campaign, but I think what I want to leave you with this messaging is critical to your work.

Of course, because this could be easily viewed, interpret it as something really intrusive, so you really have to work on your messaging an that words matter. Opaque transparency. My boss says I'm opaque, transparent what he means by that is I'm very well our office.

And the business areas are very vocal about the fact that we have a dedicated Countertenors programmer. Robust and South threat detection capability. But what we don't do is we don't talk about our potential risk indicators and the data sources we use.

Now I've also mentioned about the application of suicide ideations in workplace violence prevention. Again, if you have.

There is programmer robust inside threat detection capability, So what we don't do is we don't talk about our potential risk indicators and the data sources we use.

Now I've also mentioned about the application as suicide ideations in workplace violence prevention. Again, if you have.

A pretty robust program, and you're collecting the right kind of data and it's being analyzed correctly. You will see indications of suicide thoughts or things that might turn violent. OK, 'cause you're really focused a lot on stressors And disgruntlement

So this next bill is kind of interesting federal law enforcement referral. So like in Martins about 105 years old and before my office got here. So it's about 98 years old. When we got here, not one time did it ever have a referral to the FBI or the federal law enforcement. And shortly after we got here.

We had a case that was a little bit concerning and the employee had just left. Well, there's not a lot our office can do about that. OK, 'cause the person already got. I remember going to the general counsel making the case to refer this in 811 referral, a formal referral to the barrel.

On the need to involve them and what we needed from the FBI and Oh my God, you wouldn't believe that pushback that I got from general counsel initially. But I let them know that look, I have. I think this could be a proof of concept as far as referrals go to federal law enforcement, I feel confident that this is going to be in our best interest.

Well, since then, we're averaging about 30 referrals a year to the FBI. They have not once did US harm in any way. They've been a great partner to work with it. It requires a lot of liaison, that's for sure. And then the last bullet I have there is a farce. Lessons learned is the breakdown of business as usual mindset. What I mean by that is?

You will get resistance when you first introduced this topic to whoever. OK, but you just have to kind of walk it through. I will tell you who gave me the hardest time after.

Others seem to embrace it as security actually gave me the hardest time about this program because they thought that they were already doing counterintelligence. Well, they weren't. They were doing OPSEC operational secure. They weren't doing kind of balance, so it's just kind of an interesting thing to break down business as usual mindsets.

Oh how things could be to the benefit of the company.

So that's it. I hope you're still awake. I hope I did not waste your time and I hope you got at least one nugget out of this.

John Dillard

I have several dogs, so I can. I'm pretty sure I speak for everybody to say when I say that there are a number of outstanding Nuggets, so thank you for that overview and we do want to open up the questions. We've had several submitted already. For those of you who have attended our webinars before, you know we always ask a poll question about this time, so we're going to quickly present a poll to you. Just asking you want to hear more about threats which.

While we're doing that, if you could submit your questions via the Q&A button in the Zoom Webinar tool an we will start jumping in and getting it. Some of these questions will give it about another 10 or 15 seconds. Everybody can respond to the pole and then we'll jump right in, but.

While we're doing that, you know. Again, Doug, thank you for the interview. I'm sure you probably have about another 2 hours of stories and we all would have listened to them, but we booked it for only an hour, which I always feel like is not enough time. We have a great guest, so that's it's really been fantastic. So to kick the questions off.

The first one that I have is ireally for companies that are in the middle market and by that I mean you know maybe there are a few 100 million in revenue or maybe only one or two billion in revenue. Not quite as big as Lockheed Martin. The struggle that that that you hear a lot is that they have a real pressing need to make serious investment in insider threat.

But the company's leadership is not quite on board because they're not used to it like the way that Lockheed Martin might have. I have been used to it for many years, so in your engagement with the board and the senior executives at Lockheed, what have you found is the most persuasive argument for them to get on board with spending money on insider threat and you know. But sometimes are fuels to national security and patriotism. are not quite as effective to get them to release funds as much as we would like. So what works for those gaps? What do they get excited about? What makes them cut a check?

Doug Thomas

Yeah, so I, I think that's an excellent question whoever asked that.

Like I said, this programs are scalable, so if you're a small company or a medium sized company, maybe you don't invest in a tool if you just hire the right person. Maybe you just start off with one person you start off with hiring the right person. Who knows this problem set like the back of their hand who can put together some great training and awareness and can tell stories OK?

So it may not be very expensive is what I'm saying and you started off with a proof of concept, but what sold the company I think is when you start talking about the trends throughout the United States, the statistics relative to the loss of intellectual property and RND data and how much it's costing the United States economy.

And companies OK if you want to get personal about it. And the other thing that didn't resonate with me that 35 years I spent in the government 'cause I didn't really think about it much is brand and reputation. The government doesn't think a lot about brand and reputation. OK, but companies do. I mean they thrive on a good brand and what they don't want. Is they don't want to have somebody do bad knice?

And it gets in the news. OK, and then it's fine. They have no program, they had nothing to mitigate this kind of a problem. OK, so it's a brand and reputation thing, but I think friends since it's a it's a threat that are going on right now is what I think sounds so another way to answer that today as I look at the trends and the shifting threat landscape from nation states. I don't understand how company can afford not to do this.

John Dillard

Yep, Yep.

Excellent, thank you. Another one, we have an you touched on this a little bit when you're talking about employee communications and governance and this is around a lot of companies have unclear population and clear population. The clear population generally has by default consented to some level of monitoring and information sharing for that uncleared population.

They're really kind of two questions here. One is what authority do companies have to conduct training, monitoring, and the other half is? Even if you have that authority, you know you get into this should question and it was curious what your thoughts are on that challenge.

Doug Thomas

Yeah, that was so. That was a question that popped up when we were writing the concept of operations again with ethics and legal and privacy and HR.

In the room, and I did not want this program just on the we have 70,000 cleared employees. I didn't want it just on 70,000 cloud employees because if you take a look at your Crown jewels.

Your company's Crown jewels isn't that secret document, it's your intellectual property. It's your research and development data. OK, it's your mergers and acquisitions information. You know that's your Crown jewels, right? So I wanted to make sure that our program covered every employee in the company. So then that question did come up about authority.

Well, from a from a authority standpoint, on systems everybody probably has it when you first sign in that you're agreeing to your monitoring. That's every employee in the company, so that's our authority for the digital side of the House for the human behavior sideous the lawyers came back and said we don't have to ask for consent.

Because it's already data that the company has collected. We're not collecting anything new. OK, we're collecting data that the company already has. We just never used it in his former fashion before. Now, let me expand on that a little bit. We do collect data that the company doesn't collect. OK, and that is publicly available select.

Publicly available information. So again, remember what I'm looking for is I'm looking for things that might. Point towards disgruntlement or stressors. Like financial stressors, we collect a lot of information within the company on that stuff, but there are some things we don't collect on, so we pay a vendor Thomson Reuters Security Service to collect data on all of our employees relative to real time arrests. Large purchases, liens, and bankruptcies. Consent is not necessary because it's pull up publicly available.

John Dillard

Right, that's super helpful and I know that's one that people cook with a lot in.

As a follow up to that one, you know, I know that there are a couple of other companies that have gone out and sought explicit consent for employees. Is that something Lockheed Martin is done where they've gone out to the unclear population and obtain some separate consent? Or is that not something that's part of your program?

Doug Thomas

Yep, we haven't had to do that. Are lawyers and again, X internal general Counsel an external general counsel. Said we're on solid ground.

John Dillard

Great good stuff you know another question that came up in a couple places is on the words and the meanings. The insider threat Assets risk counterintelligence. Those words can be kind of loaded, as I'm sure you know, and you know we had a question about whether or not the choices can Create objections for employees. Does it create baggage? And if you're trying to come up with the terms to name your program that get the point across without, you know, communicating you know, concerned among the employees? How do you? How do you work through that? What did you guys discover?

Doug Thomas

Yeah, I think that's another good question and I'm kinda gonna sound like I'm bipolar on this answer.

When I first did this office up, I wanted it. It was. It was a kind of talents, operations office and my boss did not like that term because it sounded too inherently governmental. And do we really do counterintelligence? But the reason why I wanted to keep kind of talents in the name.

Of our office is because I spend a lot of time and so does everybody. That works for me. Building and sustaining relationships with the federal government who do kind of talents in the insider threat programs. And that name recognition goes a long way and I know it sounds silly, but it is a ring knocking club so that helps as far as. The Exchange of information in the cooperation. Now I do like expanding on this cell and this is what makes me question my decisions previously on Things, Insider threat or is it insider risk? I think what my office does more than anything.

Relative to the Insider Threat program, is this. We're looking for risk. We're looking for people who may be at risk for exploitation or from their own sake because they're disgruntled, so I'm not wedded to any term whatsoever. Again, it's almost like I was saying before about where this is opposite.

It's on your culture. I would say the exact same thing. I think your culture could drive what you call yourself an where this office is executed from.

John Dillard

Yeah excellent yeah number of questions about departments and working with other departments and a lot of large programs. Of course they intend to work well with it in legal and and you know the different departments key security versus regular security and counterintelligence. This little bit of two parter one is, you know.

How do you guys cope with what has been traditionally a bit of a stove fight between what I would call traditional national security and counterintelligence an IT security or information security? That's part one, and then in general there are other departments that you find that are most challenging, or require the most work and to get along with, and we promised not to tell them.

What you say?

Doug Thomas

So I love this question, so I plug whoever did this one.

00:54:51

So I don't think I'm airing dirty laundry on this, 'cause it's pretty known when I first got here, the relationship between our CSO and our CIO and CSO Was It was OK, it wasn't flourishing, that's for sure. It was just OK and the my very first week here. I made an appointment with the CIO and the CIS so I could go in and sit down with them and talk to them about who I was. What I think my office brought to the table.

And just how critical their partnership was to our office to our success.

And I could tell that because of the history I was being looked at with a little bit of a John deciso, it was, uh, it took awhile to build that relationship, but I can tell you now I have a staff meeting 'cause not all my staff is here at corporate headquarters. I have a staff meeting every Tuesday with our business area kind of talent slides.

And part of that staff is our computer incident response team that works for this system. I also have a staff meeting on Thursday with our investigations leads. Part of that staffing includes the Computer Incident Response team. I have an annual forum where I bring in all of our investigators and kind of townspeople, and you are about 75 now.

Um in for an annual conference, and sure enough, the entire SERT team is part of that. My point is, it's a very close partnership today. Did that take some work? It absolutely did, because of the history wasn't all that close before, but we are both benefiting from it. So like when I give a presentation to the board.

Or to the steering committee search is one of the first people I mentioned right off the bat because they provide about 50% of our leads that comes out of the Rams tool are from SERT. The other 50% are human behavior stuff.

So that's one thing, so offices that were painful. I will I have to say war at 1st and it was an it's and it's not going to be any surprise to anybody. Then on this call HR was difficult at first because I'll tell you nobody covets their information better than HR. I think they.

I think they do a better job of taking care of their information then the government takes care of classified information. For instance, you know early on you wanna know about who are if. Let's say we're going to do a riff of 500 employees out of a site. OK, HR does not let that information go well. Now today I get that information before the supervisors get that information.

OK, I get the information about people gonna be put on a pip before they're put on a pip. OK it took a few years to get to that point. That's why I said early on that you gotta have some incredible patience.

To execute a program like this, 'cause there's just your new and you're not known an, you're looked at strangely about wanting all this information. And then there are.

Making sure you're executing the mission right so it just takes patience. So today the answer. The questions I don't really have an office, that's a concern for me They're all on board.

John Dillard

Excellent, yeah, we have several questions around. Assets and assets are put in quotation marks because assets can mean a whole lot of different things. It can mean a piece of classified information. It can be the container. It can be an information system. It can mean a hard drive. It could mean a person or a facility or proprietary information, and so How is Lockheed Martin dealt with the issue of a defining assets, especially in light of how DSSD CSA is changing the way it thinks about those things and then identifying critical assets. Once you figured out what the assets are.

So I remember shortly after I got here meeting with the Chief Technology Officer to have him give us a list of critical assets in the company and the way we're set up at the company. We have a chief Technology Officer at corporate and then dotted line to him or chief technology officers in the business areas. And so he reached out to them and they all came in and I asked for the top 10.

From each business area and then the hope was that the business areas would submit their top 10 and the Chief Technology officer would narrow that down to 10. Well, I didn't get the top 10 for this and I got like the top 50. OK, there is no way we're resourced to do.

Enhanced plans and mitigation strategies on 300 programs. Not gonna happen, but what was happening is I did a lousy job of describing or explaining what I thought a critical asset actually meant. So I was getting things like, yeah, 35. Well, you know what? No, that's an airplane.

What's unique about the F35 that makes it the awesome machine it is. There's a widget in there. What is that widget? 'cause you have 35 an airplane, so it's can't be the F35 is our critical asset, so it just took an awfully lot of going back and forth. It took us over a year to narrow down this critical asset list.

To 10. And I I take some of the blame for that, quite frankly It's a discussion is what it is and you and you have to operate.

John Dillard

Pardon me Who's been involved in that asset discussion? When you when you put together that list and you asked for that, did you survey a number of different departments or what?

Doug Thomas

We have first. First off, it was myself and the chief technology officer and the Chief Technology officer reached out to Chief Technology Officer.

Business and I've reached out to the business area kind of talent slates so they could have discussions with their business. Here Chief technology Officer, so that's really kind of where we get because they're not just focused on the next generation weapon systems, they're also focused on today's. So they're the ones who probably have the best Insights into our critical assets.

John Dillard

Excellent, so we probably have one time for one more question. I save this one for the end visit. It kind of puts a nice book in on your talk and that is eating the elephant. I mean you guys have been at this for awhile. You have 11 lessons and I think you know for some of us even one of those 11 lessons Feels like a pretty daunting task. How? How did? How do we get started? I mean you mentioned the scope of this can be huge. It can take years. Do you have a final bit of advice with us? Who are maybe just starting program? We're trying mature it 'cause our company is growing fast. What's the right way to tackle? What is a very large and expansive challenge?

Doug Thomas

Yeah, I think I think the biggest thing is to have somebody be your cheerleader in your advocate for hiring the right person. It just start off with one guy or Gal who has a right background who understands how nation states operate, will understand how competitors operate.

Who understands how to Mitigate threats, OK, who understands how to put together affective training and awareness to make sure your employees are aware of these things? You might just start off with one person and then and then hopefully you'll have some winds that will come along to generate.

The decision to expand that program. What I tell people is until you shine a spotlight on this problem set and what I mean by that is invest in at least one resource until you shine a spotlight on this problem that you have no clue what's walking out your door Done.

John Dillard

Alright, that's excellent advice, Doug. And we are out of time, so thank you Doug. So much for spending a little bit of your afternoon with us. It's been enormously helpful. I think I speak for everyone to say that we know a lot more than we did. We showed up. So thank you for that. As a reminder, everything that Doug talked about in the slides will be available on our resources page.

So we will be sharing that with you after the webinars over, including the recording, so be sure to check back there if you're looking for the slots or the recording. And in addition, I would just remind everybody that this is the part of a series on insider threat. Next month we'll be doing one that's a panel discussion, and we'll be sharing information on that shortly. So be on the lookout.

For info on our next webinar with that, thank you, Doug. Thank you everyone for attending and everyone have a fantastic weekend and remainder of your Friday.

Doug Thomas

Thanks John.

Keep Reading

Posts by Topic

Subscribe to our
Publications