#REAL THREATS
#REAL DETECTION
#REAL COMPLEXITY
To Integrate or Isolate?
The SOC vs. Standalone IRM Debate
Should your insider risk program live inside the SOC or stand alone with its own team, tooling, and chain of command? This episode answers the org-chart question without the theory.
In 2026, This Isn’t a Tools Debate, It’s a Context Debate.
When the board asks what you’re doing about insider risk, the instinct is to bolt it onto the SOC you already run. But insider risk alerts aren’t host telemetry. They’re about people, behavior, and context, and they pull in HR, Legal, and the business in ways a Tier 1 analyst was never built to handle. The SOC is built for speed, scale, and binary outcomes. Insider risk demands depth, discretion, and multi-disciplinary judgment. Treat them the same and you flood the wrong teams with tickets they can’t action.
Three practitioners who have built and matured these programs at global organizations work through the real decision: when to integrate, when to stand alone, and why almost everyone ends up somewhere in between. They map the tradeoffs honestly, and land on the same place every time: the answer isn’t standalone or integrated, it’s fit-for-purpose. This episode shows you how to find yours.
Key Discussion Topics:
SOC alerts vs. IRM alerts
Why host telemetry and human-behavior signals demand fundamentally different response models, and why an IRM alert may flag rising risk before anyone has done anything wrong
Who’s ready to catch the ticket?
Getting HR and Legal prepared to act on alerts they’ve never had to handle on a clock or an SLA
The “second SOC” trap
Why pitching a separate operation center is a non-starter, and what to pitch instead
Map what already exists
Running a current-state assessment across SOC, HR, Legal, and DLP before you build anything, because building in a vacuum is the wrong move
“Who’s your friend?”
Finding the one stakeholder with a real, urgent use case and landing a quick win on a finite high-risk population, instead of selling the whole program to everyone at once
Why the problem is getting bigger
The agentic workforce, expanding data, and rising disgruntlement, and why that keeps IRM tied to the SOC even as it matures
Our Speakers

JJ Markee
Global Chief Information Security Officer

John Munson
Sr. Director, Global Insider Threat Program Lead, TransUnion

Mark Handy
Managing Director, Morgan Stanley
U.S. InRM CoE
U.S. InRM CoE

Peter Hadjigeorgiou
Field CISO, Teramind