He didn’t say AI-powered attacks or nation-state actors.

He said insider threats.

In most organizations, insider threats land somewhere between eighth and tenth on the priority list. They’re on the list but they don’t lead it. So when someone with his background put it at number one, I wanted to understand why.

Because here’s the theme I keep seeing across client conversations: the threat category most security teams are under-resourcing is already sitting inside their perimeter, logged in with valid credentials, doing exactly what the technology was designed to let it do.

It’s a Bigger Category Than You Think

Most people picture insider threats one way — the disgruntled employee, the corporate spy, the contractor who walked out with a thumb drive. Those exist, and they matter, but they’re not the majority of what this category actually contains.

The real picture is more complicated. A developer who got wind that a layoff was coming and quietly modified a line of code before walking out the door. A finance employee who accidentally attached the wrong spreadsheet and forwarded it to a vendor without realizing what was in it. A salesperson who copied their entire contact list to a personal folder because, in their mind, those relationships belonged to them.

Sabotage. Negligence. Convenience.

Three completely different motivations, three completely different risk profiles — all sitting inside the same category. Most insider threat programs are built to catch one of those three while the other two go unchecked.

Before the Data Moves, the Human Does

I came across a clip recently from a podcast featuring the former head of security at a space exploration company. He had spent time in the military, the private sector, and in the defense contractor world. The way he described building their insider threat detection program stuck with me.

The company he referenced is a government contractor handling classified projects. The false-positive problem is enormous — if your detections fire too broadly, you chase ghosts while the real signal disappears in the noise. His answer wasn’t to add another technical detection layer. It was to look earlier, before any data actually moved, at the behavioral patterns that humans telegraph when something in their situation is changing.

For example, an internal employee starts buying unusual quantities of merchandise from the company store. That same employee has started routing more activity through personal email on a corporate device. Neither signal alone closes a case, but A plus B equals C and by the time data starts moving, the window to act has often already closed.

That’s what most organizations are missing. Humans telegraph their intentions well before any technology captures it. The detection window exists but most security teams just aren’t looking for it.

The Part Nobody Wants to Say Out Loud

How many of us travel constantly? Maybe you’re hitting the road and right before a VPN becomes a wall between you and a document you need, you email it to yourself.

Or you forwarded something through a personal account because the PDF viewer is better, saved something to a personal device because the corporate laptop was at four percent, took a screenshot because logging back into SharePoint at the gate wasn’t happening.

None of that is malicious. All of it creates exposure. Most of it never gets flagged, because the tools most organizations are running were built for the deliberate insider — the person who knows exactly what they’re doing and why. The employee cutting friction out of their day, who genuinely doesn’t think they’re doing anything wrong, is a different profile entirely, and it accounts for the majority of insider threat incidents that don’t make the news.

The Insider Within the Insider

Sometimes the threat is embedded in the people you brought in specifically to protect you.

I saw a story in the CISO Series newsletter recently that I haven’t been able to get out of my head. Two external security professionals — hired to negotiate a ransomware settlement on behalf of a victim organization — were facing a $50 million demand. They brought it down to $25 million in their negotiation with the ransomware group. They told the client the settlement was $20 million. They pocketed the $5 million difference, and as part of the arrangement with the ransomware group, the attackers retained a backdoor into the victim’s environment.

They just got arrested.

The threat wasn’t inside the company. It was inside the people the company trusted to fight it. That’s the outer edge of this category and it’s worth sitting with this reality. Insider threat isn’t a category solely for employment status. It’s a category that spans access and what happens when someone who has it decides to use it for nefarious reasons.

After uncovering all of the risks associated with insider threat you might expect the recommended solution to be a six-figure detection platform.

It isn’t. The most practical first step for most organizations is awareness.

Pull the departments most likely to encounter these situations — finance, HR, engineering — and have a plain conversation about what insider threat actually looks like in its everyday form. Identify the signals, what to do when something feels off, and who to call. See something, say something. That phrase didn’t originate in cybersecurity, but the concept applies here more than most people realize.

You are not going to build the satellite detection program by next quarter. But you can start building a culture of awareness where the person who notices something unusual knows they’re supposed to call it out and feels safe doing so.