Insider threats aren’t just headline-grabbing sabotage stories. They’re often subtle, slow-moving, and deeply human. Whether it’s negligence, burnout, or espionage, insider risk sits at the intersection of behavior and access, and it demands more than technical controls.
We invited four seasoned CISOs to share what they’ve learned while confronting insider threats firsthand:
- Andy Ellis, (u/CSOandy), principal, Duha
- David Cross, (u/MrPKI), CISO, Atlassian
- Jack Leidecker, (u/JD-Sec), CISO, GONG
- Leslie Nielsen, (u/cyberguy1729), CISO, Mimecast
Their stories range from espionage and fraud to accidental misuse and the challenges of HR, tooling, and trust.
You can read all of the Q&A’s straight from the source, but we’ve distilled some key takeaways for you from the AMA.
Not all insiders are created equal
“First, a taxonomy. I draw from the Microsoft Inclusive Design Principles… and categorize Insider Threat as Permanent (an insider’s assets, with malicious intent), Temporary (an insider’s assets that are currently acting hostile), and Situational (an insider’s assets that, due to situational incentives, are acting contrary to your interest).”
— Andy Ellis, (u/CSOandy), principal, Duha
Understanding motivation is key. Some insiders are career threats; others are reacting to the moment. Andy described Temporary threats as “employees intentionally misusing unused assets” and Situational threats as those who “caused others to believe this was instead an actual perk of employment.”
Sometimes, it is like a spy movie
“I’ve dealt with the Permanent Adversary: an employee who thought they were selling our IP to a foreign government.”
— Andy Ellis, (u/CSOandy), principal, Duha
This incident turned out not to involve a foreign adversary after all, but the details read like a thriller. The employee pretended to be a consulate for four years, and the FBI let the act play out before eventually arresting them.
Awareness training doesn’t catch everything
“Security Awareness Training is functionally useless (I actually think it mostly has negative value).”
— Andy Ellis, (u/CSOandy), principal, Duha
Detection often comes from outside your org. Andy shared three examples: the FBI flagged one case, a customer exposed a data leak in another, and in a third, internal suspicion was raised by the “agility of a competitor” replicating new features.
Monitoring still matters
“In today’s world, you need to monitor all native applications as these are commonly used outside of the various browser sessions and web links.”
— David Cross, (u/MrPKI), CISO, Atlassian
Basic oversight still works. Several CISOs emphasized simple, continuous monitoring, especially for cloud-native, browserless tools, as essential for spotting suspicious use.
People rat each other out — if they know how
“Single biggest one: Listen to outside people reporting things to you, either intentionally or through their actions.”
— Andy Ellis, (u/CSOandy), principal, Duha
Strong detection doesn’t always mean advanced tooling. It means listening, to partner complaints, offhand remarks, and the people around the threat. Several participants noted that “reporting culture” was more predictive than SIEMs or dashboards.
Detection is usually after the fact
“In my experience the trend is towards more incidents being a result of ignorant or malicious insiders. Currently, ignorance is still slightly ahead as a cause than malicious but the gap is beginning to narrow.”
— Leslie Nielsen, (u/cyberguy1729), CISO, Mimecast
Most insider threats aren’t caught proactively. They’re discovered during incident reviews, log analysis, or customer complaints. This reinforces the value of log data and humility, over relying on intent.
Onboarding is your first (and last) line of defense
“There are numerous fraudulent candidate scenarios occurring that demand companies have strict identity, background and interview checks to thwart these activities.”
— David Cross, (u/MrPKI), CISO, Atlassian
HR is part of security. The team warned about adversarial hiring, where job seekers use fake credentials or obfuscate intent, and encouraged rigorous onboarding checks, even for lower-risk roles.
Don’t underestimate the angry admin
“Good HR policies. Seriously: We overfocus on the admin piece, and underfocus on the angry component. How can we make sure everyone has better motives than to abuse you?”
— Andy Ellis, (u/CSOandy), principal, Duha
Most admins don’t want to become a single point of failure. But poor severance practices, toxic culture, and overlooked grievances can make them one. Andy urges organizations to think not just about technical access, but emotional incentives.
Don’t assume a Gmail address is safe
“Data is key here to see if you can build a profile of what is normal or not. Also, if it is a customer that makes sense but typically employee to Gmail is not as usual or shouldn’t be at least.”
— Jack Leidecker, (u/JD-Sec), CISO, GONG
It’s common for insiders to hide in plain sight, like using Gmail under the guise of customer communication. Knowing your baselines is essential to detect real misuse.
Final thought: Insider threat is about knowing your people
Whether the insider is malicious, negligent, or just uninformed, each story shared by our panel pointed to the same thing: These threats are about people, not just logs or tooling. And the solution isn’t just tech. It’s culture, connection, and vigilance.
“Knowing your employee” might be the most powerful control you have.
Join us again for our next Reddit AMA starting Sunday, December 14:
“I’m a CISO who transitioned our security program from compliance-driven to risk-based. Ask Me Anything.”