The scale helps because it makes the communication simple. When someone leaves, they tip the scale. All the way to 10 (save 11 for special circumstances). That's an immediate signal security can use to move to step 3 below.
Using a scale sidesteps the "we'd love to tell you, but we can't because it's a matter of personnel." First, you can call their bluff on that statement. Broader, someone leaving the company with access to information is a corporate event. It needs review. Avoid the fight with the scale and corresponding signal.
Mike added "In my experience, HR wants to help. More so, once they understand the problem and how significant a role they can play in addressing it. They play an important role at the intersection of employer and employee. Give them they means they need to improve security without compromising that unique role."
Step 3: what to do when they leave (or when you find out)
When you learn someone left, review the last 30 days of activity. Longer if you have it. Most people know they are leaving about a month in advance. This tends to be when people do the most damage.
Look for signs of data exfiltration. Consider the methods available to them to move information:
- Unusual behavior in email: if they start sending themselves documents by email. Or when they use free email services to upload and send files and information to themselves.
- Bring your own cloud (BYOC): while uploading files to the Internet isn't new, it is easier. Look for signs of using personal cloud-based storage accounts to move information.
- Portable storage: are they using portable storage to copy and move data off premise
Some of these are easier to detect than others. It might need a blend of physical and electronic controls to determine. You might have blind spots, too. At this stage, the goal is to learn to take actions that protect the organization.
The smart approach for security leaders to get started
It's easy to draw on existing experience and focus on the downside. While controls are helpful, the first step is to build a clear and effective process. Create a good work environment that also protects information when people leave.
Insight and experience are excellent guides. Use what you have in place right now to follow these three steps for the next ten people who leave the company. Form a "task force" between legal, HR, and security. Agree on the process.
When each of the next 10 people leave, measure the steps and how long it takes. Consider what you learn. Document what worked. Note where you had blind spots. Look for ways to collaborate with other teams.
Sign up for Computerworld eNewsletters.