“The problem with collective responsibility is that it leads to collective irresponsibility.” Michael Novak, an American philosopher, journalist, and diplomat
In today’s complex geostrategic threat environment, insider threats pose one of the most significant challenges to security of the Australian critical infrastructure companies. Whether malicious or unintentional, threats originating from within an organisation can have devastating consequences – ranging from financial losses and reputational damage to regulatory penalties and operational disruptions, even loss of life.
The financial impact alone is alarming. According to the Ponemon Institute’s 2025 Cost of Insider Risks Global Report, organisations face an average annual cost of US$17.4 million due to insider-related incidents. This figure underscores the need for robust insider threat programs.
Despite this, many organisations struggle to manage insider threats effectively due to fragmented responsibilities across multiple departments. Insider Threat Programs often lack a single senior executive owner or a dedicated home, are assigned to portfolios where they are not a priority or suffer from an imbalance between technology and human factors (too much technology at the expense of the human part). Insider Threat Programs also often face limited budget, resource constraints, and insufficient education and training for staff, leaving organisations vulnerable.
To address this challenge, there is a compelling case for establishing a dedicated insider threat management function – one that centralises responsibility and accountability, ensures a multidisciplinary approach, and balances both technology and human factors. Such a function would not only enhance an organisation’s resilience to insider threats but also ensure alignment with regulatory requirements and best practices.
Before determining where an Insider Threat Program should sit within an organisation, we must first understand what we are dealing with – what constitutes an insider threat, how these threats manifest, and what an effective program looks like. Only then can we identify the logical placement of this function within an organisation’s structure.
What is an insider threat?
There has been considerable debate across various schools of thought regarding the terminology of ‘insider threat’ vs ‘insider risk.’ We have chosen to adopt the terminology and definitions used by the Australian Security Intelligence Organisation.
According to ASIO (2023), Countering the Insider Threat: A Security Manager’s Guide, an insider is any current or former employee or contractor, including supply chain vendors, who has legitimate or indirect access to a workplace’s people, information, techniques, activities, technology, assets, or facilities.
Behaviours such as corruption, insider trading, theft, fraud, conflicts of interest, sabotage, and unauthorised use or disclosure of personal information are interconnected manifestations of insider threats. These threats can also extend to workplace bullying, violence, coercion, intimidation, and exploitation of power imbalances, impacting psychosocial safety and creating environments where insider risks can escalate unchecked. Insecure work arrangements, organisational mistrust, and unmanaged workplace grievances can further contribute to insider threat vulnerabilities.
This complexity underscores why managing and mitigating insider threats is such a challenging task – unlike other security risks, we are dealing with an organisation’s most valuable and unpredictable asset: its people. Human behaviour is dynamic, shaped by a combination of personal stressors, workplace culture, financial pressures, grievances, ideology, and social influences.
According to Dr Eric Shaw, psychological vulnerabilities, perceived injustice, unmet expectations, and a sense of entitlement or desperation can further drive insider threats. Because these factors constantly evolve, insider threats are neither static nor easily defined. As a result, insider threat management requires a multidisciplinary approach that balances security measures with organisational culture, trust, and proactive intervention strategies.
Given these complexities, where should the insider threat function sit within an organisation? Determining ownership is critical to ensuring an effective and coordinated response.
The challenge of ownership
Traditionally, in the United States, insider threat management has been viewed predominantly as a cybersecurity issue, often placed under the Chief Information Security Officer (CISO) or IT security teams. However, insider threats extend far beyond cyber risks, encompassing human behaviours, organisational culture, and operational vulnerabilities.
A study by MITRE found that the placement of insider threat programs significantly influences their focus and effectiveness. When these programs are housed exclusively within IT or security functions, they tend to overemphasise technical threats while failing to integrate human and behavioural risk indicators. This narrow approach can lead to critical blind spots, where early warning signs of insider threats – such as workplace grievances, financial distress, or shifts in employee behaviour – are overlooked.
Given the multifaceted nature of insider threats, placing the insider threat mitigation function within asingle department – such as cybersecurity or HR – is ineffective. Cybersecurity teams primarily focus onnetwork security, access controls, and data protection, while HR departments handle personnel management, workplace policies, and compliance. Yet insider threats span multiple domains, requiring expertise in security, IT, HR, legal, risk management, and executive leadership.
Without a centralised function that ensures cross-departmental coordination, insider threats can fall through the cracks, leaving organisations vulnerable to significant security risks. To build a resilient and proactive insider threat program, organisations must adopt a holistic approach – one that integratestechnical, behavioural, and organisational risk management strategies under a clear governance structure.
Lessons from other evolving functions
The challenge of finding a home for an emerging function is not unique to insider threat management. History shows that when a new organisational risk emerges, it often lacks clear ownership, leading to fragmented responsibilities, inefficiencies, and gaps in oversight. Over time, shifts in regulation, industry best practices, and major incidents have forced organisations to assign clear leadership, dedicated resources, and formal structures to these critical functions.
The evolution of workplace safety
Decades ago, workplace safety was seen as everyone’s responsibility, yet no one was truly accountable. Safety concerns were often handled reactively by various departments – operations, HR, and compliance – without a cohesive strategy.
However, catastrophic industrial accidents such as the Bhopal disaster (1984) and the Piper Alpha explosion(1988) highlighted the consequences of poorly managed safety risks. In response, governments and industries introduced stringent Work Health and Safety regulations, mandating that organisations establish dedicated safety functions.
Today, safety officers, risk committees, and corporate safety departments are standard in most industries, showing how a once-distributed function evolved into a structured, accountable discipline.
Cybersecurity: From IT side function to enterprise priority
In the early days of cybersecurity, digital security risks were viewed as a technical problem, typically managed within IT departments. However, as cyber threats became more sophisticated and widespread, it became evident that cybersecurity required a broader, organisation-wide approach.
The massive cyber security incidents demonstrated the devastating consequences of poor cyber risk management. Governments responded by introducing mandatory cybersecurity frameworks, such as NIST Cybersecurity Framework and ISO 27001.
Many organisations moved cybersecurity out of IT, establishing Chief Information Security Officers (CISOs) and dedicated cybersecurity teams that report directly to executive leadership. This shift reinforced cybersecurity as a strategic enterprise risk, rather than just an IT issue.
The rise of data privacy and compliance
A similar transformation occurred with data privacy. For years, personal data protection was poorly regulated, often falling under legal or IT functions without a clear governance structure. The introduction of General Data Protection Regulation (GDPR) in 2018 forced organisations to rethink data privacy management, leading to the creation of dedicated Data Protection Officers (DPOs) and privacy governance teams.
This shift was driven by both regulatory requirements and reputational risks, reinforcing the idea that emerging risks require structured accountability to be effectively managed.
What these lessons mean for insider threat management
Much like workplace safety, cybersecurity, and data privacy, insider threat management is currently at a crossroads – with no distinct home in most organisations. The fragmented approach that places insider threat mitigation under IT, HR, or compliance is proving to be ineffective.
Without a structured, multidisciplinary function that integrates technology, human behaviour analysis, and operational risk management, organisations will continue to face significant blind spots in identifying and preventing insider threats.
The question is no longer if organisations should establish a dedicated Insider Threat Program, but rather where it should sit, how it should be structured, and what governance model will ensure its effectiveness.
Conclusion
History has shown that when emerging risks lack clear ownership, organisations struggle to respond effectively, leaving dangerous gaps in protection.
Workplace safety, cybersecurity, and data privacy all faced this challenge before evolving into structured, accountable functions. Insider threat management is now at that same inflection point.
The reality is clear: insider threats are not just a cybersecurity risk, an HR issue, or a compliance requirement – they are an enterprise-wide risk that requires executive oversight and a coordinated, proactive strategy. Fragmented, reactive approaches leave organisations vulnerable to financial, operational, and reputational damage.
The cost of inaction is high. Insider incidents cost millions in lost productivity, regulatory fines, and response efforts. A proactive approach saves time, resources, and protects long-term business continuity. A single insider breach can erode trust with shareholders, customers, investors, and regulators, creating a crisis few businesses can afford.
With increasing governance requirements under the Security of Critical Infrastructure Act 2018, Boards and executives are now directly accountable for insider threat mitigation. Leadership must act now – before a breach forces them to.
For leaders, the choice is simple: take decisive action now, or wait for a crisis to force it upon you. Organisations that establish a dedicated Insider Threat Program will reduce risk exposure, enhance resilience, and strengthen trust with regulators, stakeholders, and the workforce.
Insider threat management can no longer be an afterthought – it is time to give it the strategic home it deserves.