Five priorities Federal leaders need to consider when addressing insider threats

    May 9, 2025
    Understanding adversaries, optimizing strategies, investing in advanced platforms, leveraging data, and fostering collaboration can help agencies achieve risk resiliency.
    Credit: halbergman
    Agencies must continue to create channels for continuous dialogue about emerging threats, operational challenges, and technological advancements.

    Agencies must continue to create channels for continuous dialogue about emerging threats, operational challenges, and technological advancements.

    The Skinny

    • Insider threats are rapidly evolving, increasingly linked to foreign adversaries and extremist actors. Recent federal workforce transitions—voluntary and involuntary—have created a high-risk environment, prompting the new administration to reassess national cybersecurity priorities and strategies.

     

    • Modern insider risk programs must be adaptive, integrating AI-driven behavioral analytics, unified monitoring, and continuous evaluation to detect, deter, and mitigate threats with precision, while respecting privacy and aligning with organizational missions.

     

    • Cross-sector collaboration is critical. By leveraging partnerships among government, industry, and academia, federal cybersecurity leaders can stay ahead of emerging threats and establish a more resilient, intelligence-driven defense posture.

    Insider threats are evolving rapidly, posing a significant and growing risk to national security. With mounting concerns about ties to foreign adversaries and extremist groups, the new presidential administration is evaluating its focus, which has resulted in a significant number of exits and resignations aligned with the Department of Government Efficiency (DOGE). Insider risk must be a consideration here, as both voluntary and involuntary “leavers” and new entrants, or “joiners,” create an elevated risk environment. From bolstering defenses against cyber espionage to emphasizing collaboration with the private sector, the new administration presents an opportunity for a comprehensive review of the strategy for securing critical infrastructure and protecting sensitive federal data.

    This momentum presents a unique opportunity for federal cybersecurity leaders to reassess and advance their cybersecurity priorities across the board, with a focus on addressing insider risk. As policies, procedures and funding are now being evaluated, now is the time to have the right conversations, review existing programs, and identify critical gaps. By taking these proactive steps, leaders can help position their organizations to secure the funding, resources, and expertise needed to establish a robust and resilient insider risk management program.

    Five Keys to Ensure a Foundational Risk Management Program

    Below are five key priorities to ensure insider risk programs continue to progress toward effective detection, deterrence, and mitigation in 2025.

    1. “Know Thy Enemy”: Understand the Complexity of Insider Threats

    The first step in combating insider threats is not only understanding the adversary but also being able to articulate the complexity of the threat at the highest level. The government’s livelihood has always been based on expert knowledge of the enemy; it remains the best in the world at it. As the prevalence and novelty of insider-based attacks represent a concerning and growing adversarial threat, it will demand the same level of awareness, respect, and focus as we have traditionally given to externally focused attack behavior.

    Recently, North Korean operatives have infiltrated U.S. companies by posing as remote IT workers under fake identities. Meanwhile, China has refined its tactics by blending cyber intrusions with insider collusion to target critical infrastructure. These strategies represent an evolution of adversarial behavior that demands ongoing vigilance and adaptation to stay ahead of the threat.

    Blended attacks—combining external tactics with insider access—pose a particularly grave challenge. Techniques such as living off the land (exploiting legitimate tools for malicious purposes), credential misuse and theft allow adversaries to evade detection while inflicting significant damage.

    To counter these threats effectively, leaders must recognize the adversary’s changing tactics and clearly articulate the risks to secure the resources and alignment needed to address them. Adversaries often operate with long-term, strategic goals. Anticipating these moves affords the best chance at effective offensive risk management, rather than playing a reactive defence. 

    2. Review and Optimize Your Insider Risk Management Strategy

    Whether an organization is just beginning its insider risk management journey or has a mature program in place, continuous evaluation and improvement is essential. Leaders must assess whether their efforts align with the latest risks and organizational goals. Are existing practices yielding measurable outcomes? Are there gaps that need to be addressed?

    The National Insider Threat Task Force’s Insider Threat Maturity Framework provides a roadmap for advancing insider risk programs, encouraging a progression from basic awareness to proactive, intelligence-driven strategies.

    Moreover, the growing integration of artificial intelligence (AI) into insider risk programs highlights the need for robust AI governance. As AI tools are increasingly deployed to identify behavioral anomalies and predict risks, federal agencies must establish frameworks to ensure transparency, fairness, and security in AI-driven decision-making.

    3. Look at the Full Picture

    Insider threats are growing increasingly complex, and piecemeal solutions can leave critical gaps and inefficiencies, resulting in unaddressed vulnerabilities. Federal leaders need to ensure that their tools provide a comprehensive view of insider risk. By ensuring that tools offer a holistic view of user behavior across networks, they can enhance operational efficiency and decision-making capabilities.

    Behavioral analytics is a cornerstone of effective insider risk management. By integrating endpoint telemetry with cyber, physical, and psychosocial inputs, agencies can detect anomalies early and contextualize insider actions, reducing false positives and improving response precision. This proactive approach allows threats to be identified before they escalate into costly or damaging incidents.

    Insider threats are growing increasingly complex, and piecemeal solutions can leave critical gaps and inefficiencies, resulting in unaddressed vulnerabilities.

    Unified monitoring systems address these gaps, providing complete visibility and actionable insights in a single view. By consolidating capabilities and leveraging advanced analytics, agencies can strengthen defenses, optimize cybersecurity investments, and better protect national security against evolving insider threats. 

    4. Use Data to Drive Successful Insider Risk Program Outcomes

    As insider threats become more sophisticated, so too must the methods used to measure and manage these risks. Cybersecurity leaders should invest in technology that quantifies human risk on a granular, individualized level. By analyzing and baselining behavior by role, department, and geography, organizations can create dynamic risk scores that accurately identify deviations from normal behavior.

     For executives, this shift toward individualized risk assessments means that security decisions will become more nuanced. Organizations need to consider the concept of privacy by design, ensuring that privacy protections are built into any tool they use. Instead of a blanket approach, tailored strategies can be employed to address specific risk profiles. For example, employees in high-risk departments may warrant closer monitoring, while employees with elevated privileges could be subject to more frequent reviews. Leavers and joiners represent another high-risk cohort that may require additional monitoring, especially during times of organizational transition. This is a consideration that is currently taking center stage, given the recent action by DOGE, with more transitions to come.

    Organizations need to ensure that their IT and security teams maintain clear lines of communication with executive leadership teams, leveraging robust reporting systems to show leadership the real risks their organization is facing. From a program perspective, leaders must ensure that insider risk management efforts align with mission objectives and operational priorities. 

    The effectiveness of an insider threat program can be evaluated by its ability to safeguard critical assets, reduce incident response costs, and support the overarching mission of protecting national security and public trust. By capturing metrics, such as the number of proactive interventions compared to reactive responses, organizations can gauge the success of their program and ensure that it continues to evolve in response to emerging threats.

    5. Forge Partnerships and Collaborate Year-Round

    Finally, insider risk management is a team effort that requires strong collaboration, both within organizations and across industry sectors. The federal insider risk community – comprising government, industry, research, development, and academia – is comprised of professional experts: a tight-knit, strong, and united group united by a shared mission to protect national security. By fully leveraging the available expertise, key interrelationships, and the unique perspectives of those within the broader insider risk and cybersecurity ecosystem, critical information, best practices, and insights can be shared, fostering the best version of national security.

    Agencies must continue to create channels for continuous dialogue about emerging threats, operational challenges, and technological advancements. By collaborating on joint initiatives, staying committed to the dialogue, and fully participating in insider-focused events (such as the annual Defense Strategies Institute’s National Insider Risk Symposium in DC and the Insider Summit in Monterey), security teams can ensure that they stay ahead of the curve and are prepared to combat even the most advanced insider threats.

    Moving Forward with Insider Risk Management

    The elevated risk environment created by recent developments within the U.S. government, combined with the expertise that has existed within the federal insider risk community for some time, presents federal cybersecurity leaders with a pivotal opportunity to strengthen their programs further. By understanding adversaries, optimizing strategies, investing in advanced platforms, leveraging data, and fostering collaboration, agencies can build the resilience needed to combat insider risks effectively.

    The stakes are high, but the momentum is here. With decisive action and a unified approach, federal cybersecurity leaders can elevate insider risk management to protect national security in an ever-evolving threat landscape.

     

     

    About the Author

    Chris Harris | Senior Vice President, United States Public Sector at DTEX Systems

    Chris Harris is the Senior Vice President, United States Public Sector at DTEX Systems, responsible for all aspects of the Public Sector Go-To-Market to include sales, channel, partnerships, government affairs, strategy, and operational oversight.

    Before joining DTEX, Chris led the Department of Defense (DoD) and Intelligence Community (IC) sales team at Mandiant (acquired by Google in September 2022), which was the highest-performing and revenue-generating regional sales team in the company.