I have spent more than two decades working at the intersection of insider threat, insider risk, counterintelligence, cybersecurity, investigations, law, and enterprise risk management.
My career has taken me from the FBI and federal courtrooms to the National Security Agency, Google, and the boardrooms of large global organizations. Along the way, I have helped investigate sensitive national-security matters, build insider threat programs, advise Fortune 500 companies, develop enterprise operating models, and create new approaches for measuring and managing insider risk.
Today, I am the founder and CEO of Insider Threat Management Group (ITMG), the founder of RiskTKO®, and the creator of the Insider Risk Capability Framework™ (IRCF™) and the Insider Risk Body of Knowledge™ (BoK™).
My work is focused on a simple but important objective: Help organizations move beyond fragmented tools, isolated investigations, and static assessments so they can manage insider risk as a governed, measurable, and defensible enterprise risk discipline.
That mission did not emerge from theory. It grew out of years spent working inside complex organizations where the stakes were real, the information was sensitive, and the decisions affected people, operations, national security, and institutional trust.
An Unusual Path Into Insider Risk
There is no single career path into insider risk management. Some practitioners begin in cybersecurity. Others come from investigations, compliance, intelligence, human resources, legal, fraud, or physical security. My own path crossed nearly all of those disciplines.
I began my federal career as a strategic analyst in the FBI's National Security Branch. The work required me to take complex information, identify meaningful patterns, and communicate those patterns clearly to senior decision-makers. At one point, I served as FBI Director Robert Mueller's morning intelligence briefer. The responsibility reinforced a lesson that has stayed with me throughout my career:
"Senior leaders do not need more data. They need clarity about what the data means, what could happen next, and what decision they need to make."
That lesson is directly relevant to insider risk programs today. Many organizations collect enormous volumes of data from DLP, SIEM, UEBA, user activity monitoring, identity systems, case-management platforms, human resources processes, and investigative channels. Yet leaders still struggle to answer basic questions:
- Where is our greatest insider risk exposure?
- Which populations require the most attention?
- Which weaknesses should we address first?
- Are we becoming more or less exposed?
- Are our investments reducing risk?
- Can we defend the decisions we are making?
My work has increasingly focused on helping organizations answer those questions.
FBI Legal, Cyber, and Counterintelligence Experience
I later served as an Assistant General Counsel in the FBI's Office of General Counsel. In that role, I supported matters involving economic espionage, cyber intrusions, insider threats, counterintelligence, classified information, and national security. The work required close coordination among agents, analysts, prosecutors, executives, and operational teams.
I also helped establish the FBI's first cybersecurity attorney capability and trained personnel on cyber investigations, counterintelligence, espionage, FISA, classified litigation, and related legal issues. This experience gave me an early view into one of the central challenges of insider threat management:
The facts are rarely contained in one system, owned by one function, or understood by one stakeholder.
A cybersecurity team may see unusual technical activity. Human resources may know about a personnel issue. Legal may understand the regulatory or litigation risk. Investigators may recognize a behavioral pattern. Business leaders may understand the operational context. Individually, each function has only part of the picture.
Effective insider risk management requires those functions to work together without abandoning their own responsibilities, legal boundaries, or professional judgment. That sounds straightforward; in practice, it is one of the hardest things for an organization to do.
Lessons From Federal Prosecution and Investigations
I also served as a Special Assistant United States Attorney in Washington, D.C., and Maryland. Courtroom experience changes the way you think about risk. A theory is not enough. An allegation is not enough. A suspicious pattern is not enough. You must understand what the evidence supports, what it does not support, how the information was collected, whether the process was fair, and whether the decision can withstand scrutiny.
That mindset has shaped the way I approach insider risk. Insider risk programs operate in a sensitive space. They affect employees, contractors, organizational culture, privacy, legal exposure, reputation, and trust. A technically sophisticated program can still fail if it lacks proportionality, governance, documentation, and defensible decision-making.
I have often told leaders that the goal is not to monitor everyone more aggressively. The goal is to make better decisions using the right information, under the right authority, with the right safeguards.
Contributing to Major Counterintelligence Matters
During my time with the FBI, I contributed to the successful prosecution of ten Russian spies associated with the Russian Illegals Program. The case reflected the complexity of modern counterintelligence and insider-related risk. Serious threats do not always present themselves through one dramatic event; they may develop gradually through access, relationships, collection activity, concealment, and exploitation of trusted environments.
"Trust and access are necessary for organizations to function, but unmanaged trust and access can become sources of exposure."
This is why insider risk cannot be reduced to identifying "bad employees." Insider risk can arise from malicious activity, negligence, compromised credentials, excessive access, process weaknesses, third parties, workforce transitions, poor governance, cloud misconfiguration, ineffective controls, and gaps between organizational functions. The discipline must be broad enough to account for all of those possibilities.
Building and Leading Insider Threat Capabilities at NSA
I later joined the National Security Agency, where I served as a senior litigation attorney, senior special agent, and Insider Threat Program Manager. At NSA, insider threat was not an abstract concern; it was a mission requirement.
My work included expanding the agency's insider threat capability across governance, monitoring, investigations, policy, controls, training, compliance, vetting, and executive coordination. I also chaired the Intelligence Community Insider Threat Mission Group, served as NSA's representative to the National Insider Threat Task Force, and was appointed by the Office of the Director of National Intelligence as an Intelligence Community insider threat technical lead. Those roles required coordination across agencies, technical teams, legal functions, counterintelligence organizations, policy officials, and senior leaders.
One of the most important lessons from that period was that technology alone does not create an insider threat program. Organizations often begin by asking: What tool should we buy? A more important set of questions comes first:
- Who owns the risk?
- Who can make decisions?
- What information can be shared?
- What legal authorities apply?
- How will concerns be escalated?
- Who determines proportionality?
- What constitutes sufficient evidence?
- How will the program measure effectiveness?
- How will leaders know whether exposure is improving?
Without governance and operating discipline, even excellent technology produces fragmented results.
From Insider Threat to Enterprise Insider Risk
When I founded ITMG, I brought those lessons into the private sector. Over time, I advised more than 100 Fortune 500 organizations and supported more than 300 insider risk engagements, including more than 150 capability assessments and over 20,000 consulting hours.
Across industries, I saw many of the same problems repeatedly:
- Organizations had tools, but not an integrated operating model.
- They had investigations, but not enterprise risk visibility.
- They had policies, but unclear decision rights.
- They had data, but no consistent way to translate it into priorities.
- They had assessment reports, but struggled to sustain action after the consultants left.
- Their programs depended heavily on spreadsheets, manual coordination, and personal relationships.
In one engagement after another, the challenge was not simply identifying gaps. The harder problem was helping the organization decide what to do next. That required connecting governance, people, process, technology, legal requirements, privacy considerations, investigative workflows, risk tolerance, program maturity, executive priorities, and available resources.
Designing and Transforming Enterprise Programs
Through ITMG, I worked with organizations to assess, design, build, and mature insider threat and insider risk programs. The work included program governance, executive steering committees, legal and privacy frameworks, capability assessments, risk registries, technical roadmaps, DLP/UEBA integration, monitoring strategy, identity and access management, investigative procedures, training, metrics, and executive reporting.
One of the most rewarding parts of this work was seeing organizations move from uncertainty to clarity. At the beginning of an engagement, leaders might have dozens of concerns, competing stakeholder views, and no common way to prioritize them. By the end, they could see where the organization was exposed, which actions mattered most, who owned each action, and how progress would be measured.
Leading Global Insider Risk Services at Google
I later served as the Global Insider Risk Practice Lead at Google. There, I worked to expand the conversation from tactical monitoring and individual use cases to broader enterprise risk management. Many customers already had significant technology investments. Their challenge was understanding how those capabilities fit into a coherent strategy.
The questions were familiar: How should governance work? How should legal, privacy, HR, security, and investigations coordinate? Which technical signals matter? How should organizations prioritize investments? How can program maturity be measured? How can insider risk be communicated to executives and boards?
I helped build and scale Google's global insider risk service, develop repeatable assessment and transformation offerings, and translate technical capabilities into executive risk narratives and strategic roadmaps. That experience further reinforced the gap between technical information and enterprise decision-making. Most organizations do not suffer from a complete absence of signals; they suffer from an inability to translate those signals into a defensible understanding of exposure.
Why I Created the Insider Risk Capability Framework™
After years of assessments and program-development engagements, I became convinced that the profession needed a more complete and practical capability model. Organizations needed a common structure for understanding what an effective insider risk program should be able to do. That led me to create the Insider Risk Capability Framework™ (IRCF™).
The IRCF™ organizes insider risk into ten interdependent components:
The framework is intended to give organizations a shared language for assessing capability, identifying gaps, prioritizing improvement, and measuring maturity. It also reflects an important principle: Insider risk is not owned by one department. It is a coordinated enterprise capability that depends on many functions working together.
Why I Created the Insider Risk Body of Knowledge™
I also created the Insider Risk Body of Knowledge™ (BoK™) to provide practitioners with a unified, publicly accessible resource for insider threat and insider risk management. The field has historically lacked a single reference point that brings together foundational concepts, standards, laws, use cases, metrics, procedures, tools, personas, case studies, templates, checklists, and program-development guidance.
The Insider Risk BoK™ reflects lessons learned across government, consulting, technology, investigations, law, and hundreds of enterprise engagements. Its purpose is to help practitioners develop stronger programs without forcing every organization to start from scratch.
Why I Developed RiskTKO®
Traditional consulting engagements often produce a report, a briefing, and a list of recommendations. Those deliverables can be valuable, but they have a limitation: They are static. The organization changes. Threats change. Technology changes. Yet the report remains frozen in time.
I developed RiskTKO® to address that problem. RiskTKO® is designed as an insider risk exposure management platform. It helps organizations turn assessment findings, organizational context, capability gaps, cohort risk, risk-registry information, and implementation progress into a living view of insider risk exposure.
The objective is not to replace security tools or investigative platforms. It is to help leaders understand where the organization is exposed, what should be fixed first, how exposure is changing, and whether investments are producing meaningful results. RiskTKO® represents the next stage of the work I have pursued throughout my career: translating complex information into clear, defensible decisions.
My Philosophy on Insider Risk
After decades in this field, several principles continue to guide my work:
Insider risk is an enterprise risk
It cannot be managed solely by cybersecurity, investigations, legal, or HR. It requires coordinated ownership across the organization.
Technology is necessary, but insufficient
Tools provide signals. Programs create context, governance, accountability, and decisions.
Trust and Proportionality matter
Programs must protect the organization without undermining employee trust. Not every anomaly is misconduct; programs must distinguish risk from noise.
Evidence and Metrics must support decisions
Counting alerts, cases, or training completions does not necessarily tell leaders whether exposure is improving. Decisions must be grounded in reliable facts.
What Makes My Experience Different
My perspective has been shaped by experiences that rarely sit together in one career: FBI national-security analysis, FBI legal and cyber-investigation support, federal prosecution, counterintelligence matters, NSA insider threat program leadership, Intelligence Community coordination, enterprise consulting, Fortune 500 assessments, Google global practice leadership, framework development, professional education, and SaaS platform creation.
That combination allows me to view insider risk through multiple lenses. I understand the investigator who needs reliable facts. I understand the attorney who must evaluate authority, process, and evidence. I understand the security team trying to connect technical signals. I understand the executive who needs a clear risk decision. I understand the program leader trying to align stakeholders with different responsibilities and priorities. And I understand the practitioner who is being asked to build a mature program with limited time, limited resources, and high expectations.
The Work Ahead
Insider risk is becoming more complex. Organizations now operate across cloud platforms, SaaS environments, remote workforces, contractors, artificial intelligence tools, personal devices, collaboration platforms, and rapidly changing data ecosystems. The traditional perimeter has largely disappeared. Access is broader. Information moves faster. Roles change more frequently. Third parties are more deeply embedded. AI can amplify both productivity and misuse.
The answer is not indiscriminate monitoring. The answer is a more mature management discipline. Organizations need to understand exposure, prioritize action, coordinate stakeholders, measure progress, and preserve trust. That is the work I have spent my career pursuing, and it is the work that ITMG, the Insider Risk Capability Framework™, the Insider Risk Body of Knowledge™, and RiskTKO® are designed to advance.