Financial Services CIOs, Insider Threats and the Human Behavior

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article. Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale. The article reports on a Deloitte study that highlights two major data points that I want to call out:

1. 91% of financial services companies' CIOs are concerned with the inability to deal with the inside threat

2. 79% of respondents stated that human behavior is a big factor

Read those numbers again. This was a survey of 100 global financial services firms that have deep pockets and vast technologies, and that was conducted before Societe Generale was in everyone's vocabulary. More significantly, most weren't providing new training to workers on security. In general, training requires changes in behavior, and let's face it, most people don't embrace change to their daily routines especially to improve security. Change is disruptive; change implies more work. Thus, further reinforcing the belief that security needs to be invisible to the user (which I'll address in a future blog entry).

These insider threats have brought on the wave of data leakage protection (DLP) technologies, but at the core, identity and access management still remains as the central choke for addressing the insider threat. Knowing who's accessing what, when and from where is a key part of the paper trail to find out if there's been misbehavior or accidental leakage. Mix in integration of physical and logical security, a touch of strong authentication and effective access management, and you've created a potent recipe for deterring the insider threat. The operative word here is deter - the ability to undeniably trace actions back to an individual reduces the urge to push the limits on misusing the system.

Tell me, what's your insider threat protection recipe? What are you using (or planning to use) to address the biggest business security threat we now face? How does/will it change human behavior of your workers?