Inside Out: Navigating Insider Threats in a Shifting Global Landscape
- Effortlo
- May 14
- 8 min read
Culture, Caution, and Continuous Vetting: Insider Threats Take Center Stage
At the effortlo Security FOCUS Group discussions, held on April 15 and May 2, 2025, experienced leaders from across sectors gathered to tackle the rising challenges associated with insider threats. This wasn’t a theoretical debate. It was a candid, boots-on-the-ground exchange about real vulnerabilities and how to strengthen our organizations from the inside out.
As organizations brace for economic headwinds and navigate complex political climates, security leaders are facing a threat that's both deeply familiar and frustratingly elusive: their own people.
This topic brought together security professionals for two in-depth Security FOCUS Group discussions, with participation from experts on the effortlo Executive Resource Council; Shawnee Delaney, Bruce McIndoe, Sulev Suvari, and executives from companies including American Eagle, Zoox, Cardinal Health, Juniper Networks, Veritiv, Kellanova, and others. These conversations revealed patterns, emerging risks, and cross-functional solutions companies are adopting to get ahead of insider threats.
The Threat Within
“Over half of all security incidents originate from insiders,” noted Steve Lisle, founder of effortlo, in the opening session. Shawnee Delaney reinforced this reality.
It’s not always sabotage - it’s someone making a mistake or not knowing the policy, and that’s something you can train away.” - Shawnee Delaney
Shawnee further emphasized that insider risk is simply the risk created by employing humans, people who might make mistakes, take shortcuts, or become malicious. Importantly, she categorized insider threats into three buckets:
✔ Unintentional/Negligent: Someone who unknowingly violates a policy or intentionally bypasses protocol (e.g., printing documents to work on during a flight).
✔ Compromised: Like the Uber breach, where a third-party vendor was tricked into giving away credentials.
✔ Malicious: The most difficult to predict and train against.
The good news? The first two categories can often be mitigated through thoughtful training, process improvements, and proactive cultural alignment.
“It’s the senior leadership buy-in. If they don’t understand why insider risk deserves serious investment, it doesn’t move forward - Patrick Joyce”
Technology Is Evolving. So Are Insider Threats.
Sulev Suvari of Zoox described the complex web of risk created by integrating AI and productivity tools like Google Gemini, Slack bots, and JIRA automations into daily workflows:
“It’s not just people anymore. It’s bots with access to sensitive Slack channels or private HR conversations. The line between tool and threat is blurring fast.”
This concern echoed across the group. AI has introduced new layers of risk, particularly around inadvertent exposure of internal or regulated information. Companies are now asking: how do you secure a bot?
Shawnee praised tools like Behavox and Proofpoint for their strong monitoring capabilities, especially when paired with proactive HR partnerships.
From Exit to Exposure
Insider incidents frequently begin weeks before an employee gives notice. Bruce McIndoe emphasized:
“Most bad actors start downloading data 30-60 days before they resign. The red flags are there, you just have to be looking for them.”
Another leader shared: “We don’t wait until Friday anymore. We lock people out the day before. People make bad decisions at 2 a.m. on a Saturday after a few drinks. We’ve seen it.”
Shawnee introduced the concept of a "Leavers Policy," where those exiting, especially to competitors, are placed in a special monitoring status. Others described putting employees on heightened alert lists during restructuring or job changes to detect risky behaviors early.
Still, the group cautioned: sudden offboarding actions can backfire. If someone is already disgruntled, immediate cutoffs can provoke a retaliatory response. Offboarding, they noted, is one of the most vulnerable moments in the employee lifecycle and must be handled with empathy and strategy.
Respectful Accountability and the Culture Paradox
Participants reflected on the tension between building trust and executing oversight. On one hand, leaders want to foster inclusive, supportive, and open work environments. On the other hand, they must deploy monitoring and behavioral detection tools to mitigate internal risks.
This dynamic creates a delicate balancing act between empowerment and protection. One organization noted success with "respectful accountability," where monitoring programs are openly discussed with employees. By communicating the why behind surveillance and involving local teams through Threat Assessment Teams (TATs), leaders reported more buy-in and fewer privacy concerns.
The message is clear: this isn’t about punishment, it’s about shared responsibility.
Mental Health, Gambling, and the Hidden Triggers
Mental health was another major thread. Bruce McIndoe introduced Mental Health Champions programs: Peer-trained employees unaffiliated with HR or security who act as safe listening posts across the company.
“You need sensors in the system - people who are connected and can spot someone spiraling before it turns into a crisis.”
The group emphasized that personal strain, financial stress, family issues, and health problems can fuel risky behavior. Gambling, in particular, was raised as a silent and rising driver of internal fraud or misconduct.
Unionization as Trojan Horse
One participant shared a recent example of a new employee entering the company not to work, but to sow discord and drive union activity. “It was disruption disguised as performance.” The employee performed well enough to avoid suspicion early on, but gradually built influence with coworkers, subtly shifting conversations toward dissatisfaction and division. Once the internal group gained traction, the employee escalated actions that created workplace disruption and triggered broader organizational risk.
The group agreed that insider threats aren’t always digital; they’re sometimes ideological. Leaders were urged to balance respect for labor rights with vigilance against those who may seek to destabilize operations under the guise of advocacy.
What You Don’t Know Will Hurt You
This delay isn’t just an operational misstep; it’s a systemic blind spot. Security teams often find themselves reacting to incidents that could have been prevented if they had earlier visibility. While HR and Legal may have early insight into employee grievances, medical leaves, or performance issues, those insights rarely translate into timely security action.
“The challenge is this: security is always brought in too late. By the time we know, the damage is already happening. HR and Legal know. Managers know. But security often doesn’t.”
Participants agreed that organizations must dismantle silos between departments to move the needle. This involves embedding security professionals into cross-functional conversations, particularly during hiring, performance management, restructuring, and exit processes. Security can no longer be the last to know. It must be involved from the first signs of friction.
One participant shared how they’re working to integrate a cross-functional “People Risk Council” that includes HR, Legal, IT, and Security. Another emphasized empowering HR to identify patterns of behavior, such as financial strain, workplace conflict, and burnout, and communicate those trends to Security before they metastasize into threats.
Security’s role isn’t just enforcement; it’s early intervention. And that requires trust, access, and a seat at the table.
Continuous Vetting: From Pre-Hire to Present Day
There was also an emphasis on a critical reality: risk doesn’t stop at onboarding. Insider threats can emerge or evolve years after an individual is hired, particularly during periods of personal or organizational stress. The employee you hired five years ago may not be the same person today.
The group added that companies must reframe how they think about access: not as a permanent permission, but as a dynamic privilege. As employees shift roles, experience life changes, or encounter financial and emotional stress, their risk profiles also evolve.
The group highlighted the importance of aligning physical and cybersecurity teams with HR and legal to track who has access to what, and why.
“We found people still accessing sensitive systems weeks after departure. Now we offboard before the last day and limit access during notice periods. It’s about protecting everyone.”
Participants also discussed continuous vetting tools - systems that can flag if a current employee appears in court records, social media sentiment shifts, or public databases. Bruce McIndoe shared examples of how these tools, already common in high-trust industries such as defense, are becoming increasingly essential in corporate environments, particularly with remote work and global teams.
It’s not about distrusting employees. It’s about understanding that trust is not a static asset—it must be maintained and monitored like any other element of risk.
Tool Talk: What’s Working
Tools that received positive feedback in the discussion:
Microsoft Purview Communication Compliance
CrowdStrike (used for endpoint protection and thumb drive policy enforcement)
Proofpoint (highlighted for monitoring and preventing exfiltration)
Behavox - Falcon tool
User & Entity Behavior Analytics (UEBA) platforms)
Mental Health Champions Kit (UK/US)
Thomson Reuters CLEAR (for continuous vetting and legal monitoring)
Cost and complexity remain challenges. “You can’t buy a tool for every problem.” Leaders encouraged the use of existing resources, such as log reviews, data mapping, and enhanced collaboration between IT, Security, HR, and Legal.
Statistics That Matter
Over 50% of all security incidents involve insiders, according to Verizon’s 2023 Data Breach Investigations Report. (Verizon DBIR 2023)
74% of breaches involve the human element—including social engineering, errors, or misuse. (Verizon DBIR 2023)
Only 28% of organizations report having a formal insider threat program. (Ponemon Institute)
The average cost of an insider threat incident is $15.38 million annually per organization. (Ponemon Institute)
57% of insider threat incidents involve unintentional actors—highlighting the critical role of training and awareness. (Cybersecurity Insiders Insider Threat Report)
These numbers validate what leaders are experiencing on the ground: insider threats are real, frequent, and costly, but also preventable with the right strategies and cross-functional alignment.
Where Do We Go From Here?
The discussion closed with a shared understanding: insider risk is no longer a narrow cyber issue or an HR problem. It’s systemic, and security must be at the table from day one.
The group is considering future sessions on work-from-home vulnerabilities, continuous vetting programs, and culture-based security models.
Effortlo is grateful to the leaders who contributed their insights to this session. We believe that through open, real-world dialogue, we can create safer organizations and stronger collaboration across functions.
About The Security Leader Focus Group
The Security Leader Focus Group is designed to host about 20-25 CSOs, Global Security Leaders, and SMEs alongside the Executive Resource Council. This is a working session where security leaders speak openly and candidly, sharing their experiences, successes, and struggles around a topic with the intent to #benchmark and collaborate with like-minded peers.
About effortlo
Effortlo is the world’s only #marketplace exclusively for security professionals, designed to empower companies with unparalleled access to trusted expertise. Our innovative model offers flexibility, transparency, and cost-effective solutions that help organizations address their most pressing security challenges. From embedding top-tier experts to streamlining complex projects, we enable businesses to expand their capabilities without expanding their payroll. By engaging the industry’s best resources, effortlo ensures your security programs are effective, scalable, and tailored to your unique needs.
Do you want to learn more about how effortlo helps companies solve security challenges? Schedule an introduction.
Participants in this Focus Group included: (plus others who cannot be publicly named)
Josh Carver – Chief Security Officer at Schneider Electric
Brad Minnis - Vice President, Environment, Health, Safety & Security at Juniper
Jason Maddix – Corporate Security Director at Republic Services
Reigna Zeigler – Global Director, Emergency Mgt & Continuity at Johnson Controls
Rusty Wallace – Chief Security Officer at Veritiv
Scott McBride - Chief Global Asset Protection Officer, CSO, American Eagle Outfitters
Scott Lindahl – VP Corporate Services & CSO at Kellanova
Brian Hansen – Vice President, Regional Chief Security Officer (LAC) at Mastercard
Joel Jordan - Security Director at Cardinal Health
Pedro Ramirez - Corporate Security & Facility Director @ GFR
Steve Beggs - Security Manager, United Regional Hospital System
Carlos Galvez – Principal Risk Consultant at Bastion Projects
Patrick Joyce - Global Resident CISO at Proofpoint, Former CSO/CISO at Medtronic
effortlo Executive Resource Council
Bruce McIndoe – President, McIndoe Risk Advisory, and founder of iJet/WorldAware
Rich Widup – President of The Widup Group & former President of ASIS
Tim McCreight – CEO of Talecraft Security & 2023 President of ASIS
Shawnee Delaney - CEO, Vaillance Group | Expert on Insider Threat & Counterintelligence
Sulev Suvari – Head of Global Security at Zooks
Rob Chamberlin – President & Founder of Security 101
Steve Lisle – Ambassador for Reducing Effort – Founder of effortlo.
Dr. Steve Albrecht – WPV and Threat Assessment Expert
Mike Osborne – former Chief Security Officer at Kinross
Karan Uthaiah – Founder of TASC and former Head of Global Resilience at HP