With yesterday's Twitter excitement, a note: "Insider Risk" work is NOT fundamentally about the idea that you don't trust your employees. [thread]

Insider Risk controls are about limiting the capacity of people so you can be confident that your company's obligations to maintain security and privacy aren't dependent on avoiding mistakes.

Those mistakes could be someone who thinks they were doing their job, who got socially engineered, who didn't understand the policy, who fat-fingered something. One mistake might be "I trusted the wrong person", but it's only one of many.

And, of course, who knows if the person who is presenting authentication as one of your staff is actually that person. Insider Risk controls also help protect against attackers who can take over the identity of your empowered employees.

In the end, the way to be confident that the organization's intent and policies will be followed—that you can deliver on your security and privacy commitments—is to have less power depend on individual people, so they can't violate these rules, certainly not unilaterally.

Making it so less is dependent on "I hope people make the right choices"—while still empowering employees to get work done, keep systems running, and everything else—is really hard and requires deep understanding of systems, business processes, and employee empathy.

If you only see it through a lens of deciding if people are trustworthy or not and mitigating actually malicious people, you will only address a small fraction of the "Insider Risk" problem.