Insider Risk 101: Building the Foundation

From knowing you need a program to actually building one that works — across competing priorities, legal constraints, and technology choices.

Start With the Right Questions. Build the Right Program.

Every insider risk program fails or succeeds at the foundation. Before the tools, before the policies, before the budget conversation — you need to know what you’re actually defending
against, and why most organizations getit wrong from day one.

In this episode, we define the three insider threat archetypes — malicious, negligent, and compromised — and explain why treating them the same is the first critical mistake. We break down the stakeholder alignment problem, the “crown jewels” gap, and what separates programs that stick from programs that stall.

Key Discussion Topics:

Insider threat typology

Malicious, negligent/complacent, and compromised — defined and differentiated

Structural difference

Why insider risk demands a fundamentally different approach from external threat defense

The business case

Getting Legal, HR, IT, Finance, and other stakeholders aligned from the start

Foundational components

Policy, governance, detection, and response — what must be in place

First 90 days

Common mistakes organizations make in early program design

"Table stakes" vs. differentiated design

Where programs go wrong even when basics are covered

Our Speakers

Shawn Thompson

Founder & CEO, ITMG

Michael Gelles

Managing Director at Deloitte

Christina Morillo

Sr. Director of Information Security at New York Football Giants

Peter Hadjigeorgiou

Field CISO, Teramind