recommended reading

Obama Administration Aims to Create ‘Insider Threat’ Job Specialty to Plug Leaks

The creation of insider threat teams was spurred, in part, because of the leaks from ex-NSA contractor Edward Snowden

The creation of insider threat teams was spurred, in part, because of the leaks from ex-NSA contractor Edward Snowden // Gil C /

A New Year’s goal of the federal office responsible for averting employee leaks is to make a career out of catching so-called insider threats.

It is a delicate task to simultaneously guard hard-working federal personnel and expose the bad apples. And it takes different talents than those one would find in a counterintelligence analyst, human resources professional or information security professional. The insider threat discipline melds all those disciplines. 

"It’s a privilege to work in that program. And the only reason that you are there is to help protect your colleagues, not to out them. So, we’ve got to professionalize that workforce of people who do this for a living," said Patricia Larsen, co-director of the National Insider Threat Task Force. "They have to view themselves as part of a community."

Larsen was speaking at a forum hosted by Nextgov earlier this month. 

Background investigators these people are not. Although, that profession now has somewhat of a reputation problem, too.

The Office of Personnel Management on Thursday began notifying more than 48,000 employees their personal information may have been exposed following a possible cyber intrusion at KeyPoint Government Solutions, which conducts background checks on personnel applying for security clearances. Over the summer, USIS, once the government’s largest provider of employee investigator, disclosed a data breach, potentially compromising information on 25,000 workers.

The Obama administration created Larsen’s office after former soldier Chelsea Manning spilled U.S. secrets to Wikileaks. The more recent actions by ex-contractor Edward Snowden that revealed National Security Agency intelligence indicate the task force needs to pick up the pace, she said.

But there is no occupational series and pay scale for the insider threat profession. The task force is exploring whether a new occupational code might be warranted, Larsen told Nextgov. In the meantime, agencies are using several existing job classifications to recruit staff. 

Personnel with insider threat-related tasks can easily earn six-figure salaries in government or industry. Currently, there is an opening at OPM for a “Supervisory Intelligence Operations Specialist” with a salary between $106,263 and $138,136, whose responsibilities include insider threat awareness training, according to

Talent search firm Hudson is recruiting an “IT Risk Evaluation Manager” for an unnamed financial institution who, similarly, would be paid between $100,000 and $130,000 to have an “in-depth understanding” of insider threat analysis to keep the company’s proprietary computer code secure. 

Today, internal threat specialists serving within roughly 70 different agencies come from the fields of counterintelligence, information security and civil liberties, as well as law enforcement.

Some agencies have hired intelligence analysts from the "0132" job series defined by OPM.  Others have focused more on the investigative capabilities within the 1800 series, or 0080 security specialists. 

"They bring their own experiences with them but now we’re asking them to do a unique skillset, a unique discipline -- to be an insider threat professional," Larsen said. 

Every federal agency that has access to classified information is required to set up an insider threat program. Many have robust initiatives in place, while others are still in the early stages and are still filling positions. The size of the insider threat workforce for each department will vary based on the agency's size, mission and access to secrets, Larsen said.

These professionals must learn how to synthesize intelligence from myriad sources that analysts traditionally don’t use all at once.  It requires some technical expertise to perform the “big data analysis” and to refine algorithms that ingest the data to flag potential rogue behavior, Larsen said. 

The specialists must undergo awareness training on privacy protections, intelligence oversight and investigative procedures, should suspicions bear out.

"In the event detected activity necessitates referral to law enforcement," it is crucial that the insider threat personnel do not interfere with potential prosecutions or psychological treatment, Larsen said. "It is also critical to remember the human element, and the expertise of clinical psychologists is crucial to inform insider threat analysis.”  

(Image via Gil C/

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.