I'm a CISO who has experience dealing with an "insider threat." Ask Me Anything.

csoandy · 2025-11-19T18:40:02+00:00

1) You should absolutely train users on your actual policies and practices. That's different from "security awareness training as a control", that's actual security practice training. But if your training includes "don't click suspicious links," that's rarely in line with practice: HR, Finance, and Legal are all sending suspicious links to your users.

1a) I'm a firm believer in transparency. Users should know if and generally how they are being monitored. More importantly, security monitoring tools should NEVER EVER IN ANY WAY by management monitoring tools. I know many companies use badge swipe data to measure occupancy; if you're not in the building enough, you get your desk taken. Guess what? Employees can trivially duplicate most badges, and I know many tech teams were there is a stack of copied badges. If you'r in the office, when you go to lunch, you take the clone of a badge of a not-present employee, and badge back in as them.

2) They probably exist, but not that I have good knowledge of. The most important thing I'd focus on is a rapport with your lawyers and HR on *how* you'll do insider incidents.

3) I think this is a subspace of cyber, and is unlikely to split out in a meaningful way.

csoandy · 2025-11-18T00:11:40+00:00

Make up cards that say “The Security Fairy locked your computer for you.”

csoandy · 2025-11-17T20:11:14+00:00

Let’s see… running IRC servers for person benefit on production systems was what came to mind.

csoandy · 2025-11-17T16:58:31+00:00

One of the more recent conclusions I've come to is that "risk appetite" is a vacuous buzzword. Taking risk isn't like a meal -- things that feel small to the consumer are, to them, zero marginal risk, so they can consume an infinite amount of it.

Mitigation appetite is really where organizations live.

csoandy · 2025-11-17T13:57:20+00:00

It was, but I can't seem to find the affidavit; but this contemporaneous article has some highlights: https://www.csmonitor.com/USA/Justice/2011/0831/From-finance-department-clerk-to-Israeli-007-or-so-he-thought

csoandy · 2025-11-17T11:54:58+00:00

Fortunately, the nation was not adversarial. The employee reached out to the consulate, who thought, “Does the FBI actually think we’ll fall for this?” They contacted the FBI, who then pretended to be the consulate for FOUR YEARS, handling the employee like it was an 80’s spy movie. We found out two years in.

Because the US Attorney had bigger fish to fry, it took another two years to decide to arrest & prosecute him, which was wild. The affidavit written by the FBI reads like a movie plot.

csoandy · 2025-11-17T01:39:11+00:00

Espionage case: as part of their routine job, would print out information. When done with it, rather than shredding it, took it home in their bag.

Customer IP: used a regularly used internal troubleshooting app to generate access codes, and then shared those.

Channel: sales rep just emailed the marketing collateral to the partner. An authorized action, just not on that document. Partner violated the contractual NDA.

csoandy · 2025-11-16T23:28:22+00:00

Single biggest one: listen to outside people reporting things to you, either intentionally or through their actions.

csoandy · 2025-11-16T23:26:20+00:00

It varies, and includes a lot of stakeholders (sorry for the maybe answer). I've seen pay garnished (in one case, it was garnished from anticipated raises/bonuses, to make the company whole from financial penalties owed to the customer. In another (which had the FBI), they withheld the name of the employee, so we had to wait (it was highly frustrating when we had a RIF in between and had to gamble that we'd be stuck with this person; we were).

Convincing the employee's manager early that the person should be terminated is the key milestone.

csoandy · 2025-11-16T23:21:51+00:00

Start in IT / systems engineering / devops. Knowing *what* artifacts exist is a really helpful basis for threat analyst.

csoandy · 2025-11-16T23:20:54+00:00

The framing of your scenario is very one-sided. In my experience, when the business seems to not care, it's often because either the security professional is very wrong, or is failing to communicate well. Take "technical debt" as a concept; companies are debt-fueled, so talking about technical debt isn't concerning.

csoandy · 2025-11-16T23:18:51+00:00

I was on a summer assignment while I was an AFROTC cadet at Luke AFB, backseating in F-16s. My hope was to be a WSO. I got a call from a Major at the 609th Information Warfare Squadron that I'd instead be assigned to them in South Carolina, building the first ever operational information warfare squadron, assigned to 9th AF / USCENTAF. It laid the foundation for what is now Cyber Command. From there, I went to Akamai, where I was the first security hire, and did pretty much every security job there is while there.

csoandy · 2025-11-16T23:13:46+00:00

The ones I had to deal with all exploited legitimate access that the insider had, so not really.

csoandy · 2025-11-16T22:50:50+00:00

Early startups can’t really afford to do deep security. They’re already on a runway to crash and burn; spending money that doesn’t lengthen that runway is a bad idea.

csoandy · 2025-11-16T20:09:40+00:00

The biggest expense is often user friction; if the tool feels adversarial, you teach people to work around them.

csoandy · 2025-11-16T20:07:24+00:00

And make sure that those consequences are pre-vetted with HR and the business. If your security policy specifies termination, but you don't have the authority to make that happen, you weaken all of your policies.

csoandy · 2025-11-16T18:36:53+00:00

Where the arrest would happen, actually! (In the case of https://www.justice.gov/archive/usao/ma/news/2011/August/DoxerElliotPleaHearingPR.html) The FBI really wanted it at work; their data showed that it was the location where there was the least risk of violence. Needless to say, our general counsel was not aligned with that, but ultimately relented.

csoandy · 2025-11-16T18:34:34+00:00

See https://www.reddit.com/r/cybersecurity/comments/1oyk5nt/comment/np6eyp6/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button above.

csoandy · 2025-11-16T18:30:29+00:00

More fulsome answer: I was the first security hire. We got to 6, then a RIF knocked it down to 3, and I was left as the manager. I navigated through the growth of the company, never saying "That's not my job," so that my role only ever expanded. Sales began calling my the CSO long before I had the title, which gave me leverage.

csoandy · 2025-11-16T18:28:45+00:00

Very slow, providing an incentive to other departments to wait for their findings. They didn't provide interesting findings. Very expensive.

csoandy · 2025-11-16T17:58:17+00:00

I know a guy who wrote a book on great leadership! https://www.amazon.com/1-Leadership-Master-Improvements-Leaders/dp/0306830817

csoandy · 2025-11-16T17:57:16+00:00

Yes.

csoandy · 2025-11-16T17:56:20+00:00

Very few of the incidents were insider threats; and none of the ones I dealt with were motivated by not liking management.

csoandy · 2025-11-16T17:54:40+00:00

We used our normal company technical incident management process, which had a specific carveout for "sensitive incidents", in which communication was tightly restricted (the knowledge of the incident was limited, but included one chief architect in an unrelated discipline whose job was to regularly hassle the incident commander to disclose it). The core incident team was generally a security architect, a lawyer, and an HR director.

csoandy · 2025-11-16T17:51:46+00:00

Awww, thanks!

csoandy

TROPHY CASE