SpecialisedUser storyConsultative playbook

Departing employees are a known leak vector and we have no detection

After a high-profile case where a departing executive took customer data to a competitor, the CISO needs visibility on the pre-departure behaviour pattern. Purview Insider Risk would surface the signal but the team has never deployed it; HR and Security do not currently share the joiner-mover-leaver signal.

Trigger: Recent leak incident; board attention; HR-Security co-ordination gap.
Good outcome: Insider Risk policy live for HR-flagged departures, signals into Sentinel, weekly cross-functional review cadence with HR + Legal + Security.

Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

·Recent leak incident involving a departing executive or sensitive role
·HR-to-Security signal not currently shared in real time
·Insider-risk discussions never operationalised
·Audit interest in pre-departure behaviour
·Board attention on insider threat

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

1.How does HR signal a departure to Security today?
WhyThe HR-Security handoff is the load-bearing process. Often manual or absent.
Listen for: “email when finalised” · “weekly batch” · “we don't formally”
2.What pre-departure behaviour have you investigated retrospectively after a known incident?
WhyAnchors the discussion in concrete patterns.
3.What is your DLP posture on outbound channels — email, USB, cloud upload, personal email?
WhyDLP coverage is the prerequisite. Without it, signal is invisible.
4.Who would own an insider-risk programme — Security, HR, Legal, or shared?
WhyCross-functional ownership is the maturity threshold.
5.Have you mapped the most-sensitive content types — IP, customer lists, M&A material, pricing?
WhyClassification is the foundation. Without it, Insider Risk has nothing to anchor on.
6.What does your offboarding process look like for privileged users specifically?
WhySurfaces the gap between policy and practice for the highest-risk leavers.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

HR departures do not trigger heightened Security scrutiny. DLP partial; no insider-risk policy. No pre-departure monitoring. Offboarding manual and reactive. No cross-functional review cadence. Past leak incidents investigated retrospectively without a continuous detection capability.

Typical concerns

·Pre-departure behaviour invisible to Security
·DLP coverage uneven; some outbound channels unmonitored
·HR signal not integrated with Security tooling
·Offboarding leakage — accounts and devices not removed promptly
·No defensible answer for "how would we know?" if asked by the board

Capability gaps

·Purview Insider Risk Management with HR-driven triggers
·Sensitivity labels providing content classification baseline
·Sentinel receiving Insider Risk signals into the SOC queue
·Cross-functional cadence with HR + Legal + Security
·Offboarding playbook integrated with identity

Target architecture

Purview Insider Risk Management policies live with HR-driven triggers (departing employees, internal moves into sensitive roles). Sensitivity labels classify content tenant-wide so Insider Risk can anchor on what is actually sensitive. Signals route into Sentinel for the SOC queue with correlation against identity and endpoint signals. Weekly cross-functional cadence with HR, Legal, and Security reviews flagged cases. Offboarding playbook automates access removal in identity.

Key capabilities

Insider Risk policies with HR-driven triggers
Content classification baseline
Signals into Sentinel SOC queue
Cross-functional review cadence
Identity-integrated offboarding playbook

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

Decision 1.Scope — privileged-users-only vs broader workforce
Privileged users only
When it fitsCost-sensitive; highest-risk slice; lighter privacy footprint.
Trade-offsMisses non-privileged exfiltration (sales reps with customer lists, engineers with code).
Broader workforce
When it fitsDemonstrated insider-threat risk; willingness to navigate the privacy conversation.
Trade-offsBroader privacy and employee-relations impact.
Default recommendationStart with privileged users + sales (customer lists) + engineering (code/IP). Expand as the programme matures.
Decision 2.Trigger model — HR-driven vs anomaly-driven
HR-driven (resignation triggers monitoring)
When it fitsMature HR-Security integration; clear "departure" definition.
Trade-offsMisses unannounced exfiltration ahead of resignation.
Anomaly-driven (behavioural baseline triggers monitoring)
When it fitsMature SOC; appetite for continuous behavioural signal.
Trade-offsHigher false-positive load; privacy footprint broader.
Default recommendationHR-driven for the first 12 months; layer anomaly-driven once HR-driven baseline is operational.
Decision 3.Disclosure model — transparent (employees informed) vs confidential
Transparent
When it fitsStrong employer-employee trust; legal jurisdiction requires it (some EU member states).
Trade-offsMay reduce detection efficacy for the highest-intent actors.
Confidential
When it fitsLegal counsel advises; investigation-led model.
Trade-offsTrust risk if disclosed without management.
Default recommendationTransparent in EU jurisdictions; confidential elsewhere — always with legal counsel signed off.

Low-risk trial — proof of value

60-day Insider Risk pilot for HR-flagged departures

8 weeks

Purview Insider Risk policies live for the HR-flagged departure trigger. Sensitivity labels classify the most-sensitive content types (M&A, IP, customer lists). Signals route into Sentinel. Weekly cross-functional cadence with HR, Legal, and Security stood up. Offboarding playbook validated against one real departure during the trial window.

Success criteria

Insider Risk policies live with HR-driven triggers
Sensitivity labels applied to top-priority content types
Signals visible in Sentinel SOC queue
Cross-functional cadence running weekly with named participants
At least one offboarding-validated departure end-to-end

InvestmentPurview Insider Risk in M365 E5 or as add-on. Sentinel consumption for the signal ingest. Estimated ~€3–5k/month for the trial scope at the privileged-user tier.

Proof metrics

·Time-to-detect anomalous pre-departure behaviour measurable
·Cross-functional cadence operating weekly
·Offboarding access-removal SLA below 1 hour
·Audit-defensible posture demonstrated to board or regulator

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

SKUMicrosoftSaaS

Microsoft Purview Information Protection

Data classification, labelling, and protection across Microsoft 365, endpoints, and integrated SaaS. The substrate that determines what Copilot surfaces, what DLP blocks, and what is encrypted at rest and in flight.

In: M365 E5, M365 E5 Compliance…

AI Productivity

Why for this story

Insider Risk Management sits in Purview; sensitivity labels provide the content classification baseline that Insider Risk policies anchor on. Without labels, the signal has no context.

SKUMicrosoftSaaS

Microsoft Sentinel

Cloud-native SIEM and SOAR. Ingests logs from across the estate (Microsoft and third-party), runs detection rules, ML anomalies, and UEBA, fires alerts and incidents into a unified queue, and runs automated playbooks via Logic Apps.

In: Azure consumption

Security Operations