Former Spy and intelligence officer, Shawnee Delaney, join us. She is the founder and CEO of Vaillance Group (https://www.vaillancegroup.com) and spent nearly a decade with the Defense Intelligence Agency (DIA) as a decorated Clandestine Services Officer conducting Human Intelligence (HUMINT) operations all over the world.

She served four combat zone tours in Iraq and Afghanistan as a Case Officer and Detachment Chief and served as a Supervisory Branch Chief in Europe.

Chapters

00:00 Introduction and Background
00:30 Shawnee's Expertise in Cybersecurity and Counterintelligence
02:21 The Influence of Shawnee's Family and Childhood
04:01 Shawnee's Work with the Defense Intelligence Agency
08:04 Stories from Shawnee's Government Service
15:07 Difference Between Insider Risk and Insider Threat
20:01 Mitigating Insider Risk and Threat
24:28 Security Awareness and Training Programs
32:12 Building a Security Culture
41:27 Insider Threat Program at Uber
46:12 Lessons Learned from Uber
52:41 Upcoming Books on Insider Threat and Cybersecurity Education

Send us a text

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

She served four combat zone tours in Iraq and Afghanistan as a Case Officer and Detachment Chief and served as a Supervisory Branch Chief in Europe.

Chapters

00:00 Introduction and Background
00:30 Shawnee's Expertise in Cybersecurity and Counterintelligence
02:21 The Influence of Shawnee's Family and Childhood
04:01 Shawnee's Work with the Defense Intelligence Agency
08:04 Stories from Shawnee's Government Service
15:07 Difference Between Insider Risk and Insider Threat
20:01 Mitigating Insider Risk and Threat
24:28 Security Awareness and Training Programs
32:12 Building a Security Culture
41:27 Insider Threat Program at Uber
46:12 Lessons Learned from Uber
52:41 Upcoming Books on Insider Threat and Cybersecurity Education

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

She served four combat zone tours in Iraq and Afghanistan as a Case Officer and Detachment Chief and served as a Supervisory Branch Chief in Europe. This episode discusses insider risk vs insider threat, human risk management cybersecurity, how insider risk affects cyber security, how to reduce human risk in cybersecurity, deepfake explained and more.

Summary

Shawnee Delaney, CEO of Vaillance Group, discusses insider threat and cybersecurity in this conversation. She shares her background in intelligence and espionage, and how she became passionate about insider threat protection. Shawnee explains the difference between insider threat and insider risk, highlighting the potential devastating impact of insider threats. She also emphasizes the importance of mitigating human risk through proper employment life cycle management and offboarding procedures. Shawnee shares examples of insider threats, such as the use of a smart thermometer to hack a casino's high roller database, and the risks associated with employees emailing sensitive information to themselves. Insider threat programs focus on identifying certain life triggers that may lead individuals to commit malicious acts.

These triggers can include personal and professional stressors, such as financial issues or feeling undervalued at work. Organizations need to be able to identify changes in behavior and encourage employees to report concerns. Managing the employee lifecycle is crucial in mitigating human risk, from recruitment to off-boarding. Building a security culture and integrating security awareness training into the organization's culture is essential. The intersection of AI and insider threat involves both the use of AI to protect organizations and the potential threats posed by AI, such as data poisoning and deepfakes. Short, segmented, and job-embedded security awareness training is most effective.

Chapters

00:00 Introduction and Background
00:30 Shawnee's Expertise in Cybersecurity and Counterintelligence
02:21 The Influence of Shawnee's Family and Childhood
04:01 Shawnee's Work with the Defense Intelligence Agency
08:04 Stories from Shawnee's Government Service
15:07 Difference Between Insider Risk and Insider Threat
20:01 Mitigating Insider Risk and Threat
24:28 Security Awareness and Training Programs
32:12 Building a Security Culture
41:27 Insider Threat Program at Uber
46:12 Lessons Learned from Uber
52:41 Upcoming Books on Insider Threat and Cybersecurity Education

Cyber Crime Junkies (03:54.639)

Welcome everybody to cybercrime junkies. I'm your host David Mauro and we're going to try this intro again. I am very excited about having our guest in. We've been wanting her to be a guest on the show for a long time. Shawnee Delaney joins us. She is the CEO of Vaillance Group, keynote speaker, author, expert on cyber security, insider threat and counterintelligence.

She was an IT specialist in the US Department of Homeland Security, operations officer with the US Department of Defense holds a master's degree in cybersecurity in another master's degree in international policy studies, with a specialization in counterterrorism, encounter proliferation, which I don't know how you got that all on the diploma, and is seeking a third master's degree because two clearly is not enough.

in industrial organizational psychology from that one is from George Mason, I believe. So after spending nearly a decade with the departments with the Defense Intelligence Agency, the DIA, as a decorated clandestine services officer, and yes, it's it is as cool as it sounds. She was a senior manager at Uber running their global insider threat program. And today, as mentioned, she serves as

Shawnee Delaney (04:56.75)

Correct. Yeah.

Cyber Crime Junkies (05:19.853)

CEO of Vaillance, specializing in insider threat protection for organizations across the globe. Shani, welcome to the studio.

Shawnee Delaney (05:29.147)

Thank you. I'm just trying to give you a little like verbal gymnastics just to kick it off and make you say really long words. I'm sorry.

Cyber Crime Junkies (05:34.033)

That was like a word salad, man. That was a lot. So no, that's great. That's fantastic. So I've got to start from the beginning. And that is like, why? Why? Why first? Like, I don't even want to go down the why multiple masters. But why insider threat? Why? What happened to you when you were a kid?

Shawnee Delaney (05:46.7)

Yeah.

Cyber Crime Junkies (06:03.505)

caused you to want to do this. Like you grew up with like very strong women in your family as I understand. So walk us through that. Tell us kind of what's burned you into this this passion of inside.

Shawnee Delaney (06:10.37)

Yes, very.

Shawnee Delaney (06:17.866)

Yeah. I look back and I ask why all the time too. So my mother was a sheriff's deputy in California and her mother, my grandmother, if you can see right here, this gold medal, this giant gold medal, that's her congressional gold medal. She was a WASP, a woman air force service pilot in world war II. And I grew up thinking that not only did she single -handedly win the war, but just, yeah.

Cyber Crime Junkies (06:38.971)

Very cool.

Cyber Crime Junkies (06:45.091)

Yeah, that she was Batman. Really,

Shawnee Delaney (06:47.884)

Yeah. my parent growing up, my parents always taught me you can do anything you want if you work hard, period. Like that's how I was raised. And so when I was really young, the Marine Corps barracks were bombed in Beirut, Lebanon. I'm sure a lot of people remember that. There was something about that event, about the newscast that I saw with my father when it happened that just really sunk in. I have really vivid memories. I can remember Dan Rather's tone on the television.

I remember my dad reacting to the story and there was just something that triggered me. And as I grew up, I don't remember the age I was when I found out what espionage was, but I was very young and it was like angels started singing from above when I learned what it was. And I just, I felt like that's my calling. That is what I was meant to do. I'm a very mission oriented person.

And it just, it all just kind of fell into place. Well, I'm not going to say it fell into place. I doggedly pursued everything that I wanted to do, but that's kind of the path that I laid out for myself.

Cyber Crime Junkies (07:46.725)

Right. Yeah.

That's amazing. So your work with the DIA, the Defense Intelligence Agency, some listeners may not know what the DIA does. Can you walk us through that? Just high level.

Shawnee Delaney (08:03.82)

Right. Yeah. yeah, people know the CIA. Everyone knows the CIA. The DIA has a similar mission, but we are there to protect the war fighter. So we have clandestine operatives, just like CIA. In fact, we're all trained together down at the farm, DIA and CIA instructors together.

Cyber Crime Junkies (08:08.474)

Yes.

Cyber Crime Junkies (08:22.723)

Is this like a magical farm that nobody knows where it is? It's like.

Shawnee Delaney (08:26.062)

Well, if anyone's seen any TV or any movies, they know what the farm is. It's, you know, the famous spy school, if you will. But yeah, it was fun. I'm the only nerd probably on the planet that had a great time going to the farm. Everyone else was stressed out. I thought it was great, probably because I had always wanted to do it. And I was so excited to be there. But yeah, so the DIA sports

Cyber Crime Junkies (08:29.583)

Yes, yes.

Cyber Crime Junkies (08:43.994)

Right.

Cyber Crime Junkies (08:48.175)

Well, it's like Hollywood coming to life, too. It's like all those spy movies. You're like, this is actually where you learn how to really do it.

Shawnee Delaney (08:54.892)

Yeah, yeah, in a way. Now I'll tell you the job is not like Hollywood at all, but...

Cyber Crime Junkies (09:00.869)

Well, no, it's really data points, right? Like it's a lot of it is, is social engineering or finding your way into certain data points. And then you transfer that data point somewhere else and someone else is kind of connecting the dots. Is that part of is that kind of

Shawnee Delaney (09:15.202)

Right. Yeah. Yeah. So when you look at intelligence gathering on the human side, you have to have targets, right? You have to have sources and those sources, hopefully if they're good, you recruit them and they become an asset, a recruited asset, and they're providing intelligence information. I think what people don't realize is that when people, before they're even officially recruited and know what they're doing, they're still providing intelligence, right? That's how we're walking them down that human intelligence recruitment cycle pathway.

But when we are gathering intelligence and we're trying to find answers to certain requirements that the government pushes down, we're doing our due diligence. There are targeting officers. I had to myself develop targeting packages. So let's say you need an answer to some niche question requirement. We trolled social media. When social media came out, was like, again, heaven's open and angels sing because so much information is out there. People post so much information about their life.

Cyber Crime Junkies (10:07.843)

yeah.

Shawnee Delaney (10:13.228)

And so to find, just like a social engineer, to find out if someone is disgruntled or they want another job or, you know, you know, they're sad because a family member is sick or what have you. You can really leverage those motivations and vulnerabilities and craft a really good pitch or bump, which is like a chance encounter. so yeah, that's pretty much how we'd start at a lot of cold calls, stuff like

Cyber Crime Junkies (10:36.539)

sounds like a phenomenal sales training. You know, it is like, you know, screw the challenger sale methodology like that is a really good let's all go to the farm, right? Like bring everybody down

Shawnee Delaney (10:39.15)

It is yeah, absolutely

Shawnee Delaney (10:48.706)

Yeah. Well, mean, you're, you're David, you're taught to build empathy and build rapport and illicit information. Elicitation is one of the greatest gifts to sales members that I can possibly think of. so all of those techniques really kind of.

Cyber Crime Junkies (10:59.969)

Mm -hmm. yeah.

Now, you mentioned empathy. Like when you mentioned empathy, you mean it in the context of like what Chris Voss talks about of tactical empathy, meaning helping them feel understood so that they provide more information. Is that right?

Shawnee Delaney (11:19.854)

To a degree, yeah. So I would argue instead of tactical empathy, you need genuine empathy because these people are putting their lives and their family's lives on the line to give you intelligence, period. And so if you don't have something that's genuine, if you don't actually truly care about them and their loved ones, they're gonna see right through you. Yeah. Yes, yes.

Cyber Crime Junkies (11:34.009)

Right. Right.

Cyber Crime Junkies (11:41.657)

Right. Of course. So there has to be authentic element there. Right. Yeah. Makes perfect sense. So walk us through some of the, I know a lot of what you did was confidential and you can't, you know, I'm aware of your public speaking and some of the content that you've shared. But what, you

Is there any story that happened to you when you were serving the role for the government that you found in private industry, business owners really are finding value in? Right. And I imagine it has to do with insider threat, coupled with that compared to insider risk. we're going to get into that in just a second. But is there anything where you learn something about how people react or any stories that you could share?

Shawnee Delaney (12:23.863)

Ahem.

Shawnee Delaney (12:40.364)

Well, how much time do you have? I could literally talk for a month. I have more stories than anyone you've ever met. You know, I think I'm... Yeah.

Cyber Crime Junkies (12:42.073)

Well, we've got time. We've got

Yes. And you spin everything into the context, everybody works within a framework of what they like. Mine is always like, I'll look at a sporting event and be like, well, the cybersecurity implications are this, right? And you like something happens in the news, and you're like, well, here's the insider threat view of this, because that's what you're always posting on. It's like, you see it through that framework.

Shawnee Delaney (12:59.422)

Thank

Shawnee Delaney (13:07.308)

Yes,

Shawnee Delaney (13:12.012)

I see everything through that lens. feel like I kind of only half jokingly say I could take anything and spin it into insider threat. I mean, what people don't realize about that and when we're talking about stories is with insider threat, the vast majority is unintentional or negligent. Like they don't mean to make the mistake. And so things like a good one is there was a North American casino. It's unnamed, nobody knows who it is.

Cyber Crime Junkies (13:37.979)

Yes, of course.

Shawnee Delaney (13:39.458)

that was hijacked, basically all of their high roller database got hacked and sucked up into the cloud and gone. And the vector that those attackers used was a smart thermometer that was in a fish tank.

Cyber Crime Junkies (13:54.181)

I can't believe you're bringing this up. This is what we talk about. We talk about, that's where I thought you were going. I have to interrupt you. We talk about that incident all the time in our security awareness trainings. When we talk about IOT and we talk about internet of things, because people aren't aware. And I'm like, so this guy walks into a casino. Let me tell you what happens, right? All of that data from all their whales, all of those big betting, all like their,

Shawnee Delaney (14:08.93)

Yes. Wearables.

Shawnee Delaney (14:15.244)

Right.

Cyber Crime Junkies (14:23.921)

credit. All of that stuff was up there, right? All from a smart thermometer in an exotic fish

Shawnee Delaney (14:25.356)

Yes, yes.

Shawnee Delaney (14:31.96)

But people don't see the insider threat angle, which is someone misconfigured that. It was unintentional. So, yeah.

Cyber Crime Junkies (14:37.967)

Right. Right. That's exactly right. They left it on the admin, the password of admin or something, whatever really happened, but it was not encrypted properly.

Shawnee Delaney (14:45.355)

Mm Mm -hmm.

Shawnee Delaney (14:50.294)

Right, right. So in telling stories like that, that's when people think, that could happen to us. You know, people have this inherent natural trait to be risk averse, not just risk averse, but they think it can't happen to them. Be it individuals, no one's going to target me. No one's going to try to recruit me. Why would a spy ever want to target

Cyber Crime Junkies (15:12.153)

Right. Or geolocation. I'm an hour and a half outside of Wichita, Kansas. I'm not a threat. like, you're not a target as long as you don't get online. Just don't get online and then you're truly an hour from Wichita. But as soon as you get online, you're in everybody's

Shawnee Delaney (15:14.22)

Right, right. I'm a nobody.

Exactly.

Shawnee Delaney (15:29.538)

Yeah. So things like that. I had a recruited asset in a foreign country who had access to a certain network that the intelligence community needed, for example. And we just outfitted her with a USB, just a thumb drive, very, very special thumb drive, but all they had to do was plug it in and that nothing, just plug it in and go about your daily business.

Cyber Crime Junkies (15:51.631)

Right. Headkey loggers or whatever, allegedly. Right.

Shawnee Delaney (15:58.208)

unplug it in a couple of minutes and the intelligence community owns that network for perpetuity. Right. So when I tell stories like that, that's when I kind of expand on conferences and travel and USB giveaways and children who plug things in and they don't know. So we can really expand people's worlds just by these little stories and these little, I don't know, nuggets of information, real world.

Cyber Crime Junkies (16:03.642)

Wow.

Cyber Crime Junkies (16:21.477)

Well, and people don't think that corporate espionage is really a thing. And I'm like, I have hundreds of examples. Like there's all these big pharma companies and even smaller mom and pop kind of like pharma testing companies and things. And when one person leaves, they they give them gifts. like, here's a gift. Do this, whatever. And some of it's like a brand new thumb drive or whatever. They go and they stick it in.

Shawnee Delaney (16:47.768)

Mm -hmm.

Cyber Crime Junkies (16:50.309)

and all of a sudden, like, they're getting all the intellectual property from their competitor. And the person didn't even know about it. Right?

Shawnee Delaney (16:54.782)

Mm -hmm. Yeah. Yeah. Well, I mean, I'm sure you heard in news, I don't know, six months, a year ago, there were a bunch of military members who were getting random packages in the mail with like smartwatches and smart devices. the smart ones obviously didn't turn them on or plug them in and reported it. And they noticed this pattern of behavior. there are threat actors. People are trusting inherently.

Cyber Crime Junkies (17:10.373)

Yes, right.

Cyber Crime Junkies (17:22.993)

Because the smartwatch gives off your geo location, right? And your health information, your network, all of that. And now whoever sent that to you has

Shawnee Delaney (17:26.164)

Everything. everything. Your network, you connect to your Wi -Fi.

Shawnee Delaney (17:36.118)

pattern of life. When Fitbit, I think it was Fitbit, came out, I was in a war zone and military members started wearing it and they were running around the perimeter of the base for PT. And it wasn't until shortly after that everyone realized that there were threat actors that were hacking into those and they could then see where's the dining facility, where's the building, where's the, you know, just from that geolocation like you were talking

Cyber Crime Junkies (18:00.199)

think of that. That's just Yeah. So getting back to the guy that walks into a casino, walk us through what happens there. So he walks in he sees or he or she but it was a heap, sees the sees the thermometer for the exotic fish tank and then what happens next.

Shawnee Delaney (18:01.326)

But that's unintentional insider threat.

Shawnee Delaney (18:22.872)

So basically they exploited that smart thermometer being connected to the network and they went in through the smart thermometers connection to the network to get into that database, exfiltrate that data and take it out. Pretty simple. Yeah,

Cyber Crime Junkies (18:36.065)

So many issues there, right? Like there's so many like, why, first of all, why is the thermometer itself not encrypted better, right? But secondly, why is that connected to a data, the same network or database that has all of the other confidential information? That's a whole other issue, right? That's a whole, that's a whole like zero trust kind of thing, right?

Shawnee Delaney (18:45.634)

protected. Right.

Shawnee Delaney (18:56.834)

Right. There's a whole lot of questions there.

Yeah, N0 Trust, this was in, what, 2018, I believe.

Cyber Crime Junkies (19:05.969)

Yeah, I was going to say I think it was like 2017, 2018 or 2019. It was like five, six, five years ago or so. So yeah. Right. Correct.

Shawnee Delaney (19:12.008)

Zero trust wasn't a thing back then. So, you know, okay on them that they didn't know that. But what a tough lesson to learn.

Cyber Crime Junkies (19:22.209)

absolutely. Yeah. And I can't believe you brought that up. I love when I come when I use stories and then like I'm there and somebody like tells the story. I'm like, I know that story. Yeah, I'm like, hey, I see that all the people that attended our security awareness or our public speech or whatever. I'm like, I was telling good stories. See, I'm paying for this one. You know, like, yeah, right. That's good. So that's good. So let's define some terms.

Shawnee Delaney (19:34.385)

It's validating.

Shawnee Delaney (19:43.65)

Yep. Yeah. I know what I'm talking about. Yeah.

Cyber Crime Junkies (19:52.355)

You used a term that was interesting and that was the recruited asset. Like walk, I think I know what that means, but maybe I don't. So can you explain that to the listeners?

Shawnee Delaney (19:57.795)

Mm.

Shawnee Delaney (20:04.024)

Yeah, so let me start. I'll explain first the human intelligence recruitment cycle. I like to use the analogy of dating because it's the closest thing I can think of. So let's say you're starting, say you're young and you're starting to date, maybe old and you're starting to date and you're using a dating app or you're in a bar. The first thing you're doing is you're looking for your next partner, right? That's what we're doing. We're spotting. So that first thing is

Cyber Crime Junkies (20:07.769)

Yeah, please.

Cyber Crime Junkies (20:12.987)

Sure, yeah.

Shawnee Delaney (20:29.218)

We are trying to find what's your access, what are your motivations, what's your suitability, all these different things we're assessing, we're assessing you. So just like dating, okay, David, I found you, I see your placement and I see your access. I think you're gonna be reasonably suitable. You seem nice, you're not wearing a tinfoil hat. All right, so let's move into assessment. That's the next phase.

Cyber Crime Junkies (20:47.205)

Yeah, exactly. Right. You're like, what's their FICO score? what's the, you know, like, is this person a deadbeat? Are they going to pay their bills? Like, I don't want to know that. Right.

Shawnee Delaney (20:52.31)

Exactly. Right. Is David going to suddenly think he is James Bond and go off and go rogue? That's not what we want,

Cyber Crime Junkies (21:08.981)

Right, well especially in terms of intelligence, right? You don't want, you need control, absolutely.

Shawnee Delaney (21:12.428)

Yes, we need control. Yeah, yeah. So after the assessment and let me caveat that by saying throughout this whole cycle, we are still assessing and reassessing motivations, vulnerability, suitability, et cetera. So then we move into development. Now, personally, development is my favorite part of the phase. I think a lot of people would tell you it's recruitment because you're getting that next notch on your belt, so to speak. But I love

Cyber Crime Junkies (21:27.325)

Right.

Shawnee Delaney (21:40.394)

loved development because you got to really spend time, much like a relationship. When you're in monogamous relationship, it's just you two. I want to know your hopes and your fears and your dreams. I want know what makes you tick. I want to meet your family. I want to know if you sleep at night with a tin foil hat. I want to know if you are a big fan of James Bond. Right. Right. So that development phase can be very, very long. A dear friend of mine who you probably know, James Lawler, he was an operations officer with the CIA.

Cyber Crime Junkies (21:56.771)

Right, exactly. Behind closed doors, like, right.

Cyber Crime Junkies (22:07.459)

yeah.

Shawnee Delaney (22:10.126)

And he said it took him 11 years to recruit just one asset. So this can be a very, yeah, this can be a really long process. Yeah. If you're doing it right, right. You do what it takes. You're building that trust. You're building that rapport with someone. so just like dating again, it could be long, could be short, but then let's say you want to move on to that next phase, which is popping the question. It's the same thing with recruitment. So we're going to move into recruitment.

Cyber Crime Junkies (22:14.353)

Really? 11 years Wow.

Yeah.

Shawnee Delaney (22:36.43)

So they're providing non -public information. They're suitable, right? They're not gonna go off the reservation we think. They're submitting to control.

Cyber Crime Junkies (22:44.057)

Now they are a target because they have access to something or some system or someone or something. Right. Got it. Got

Shawnee Delaney (22:48.918)

Right. Or person, yes, exactly, exactly. And so then we recruit and just like popping the question when you propose marriage, you hope or you should know the answer is going to be yes before you ask. Otherwise, it's going to be a big disappointment. It's the same with.

Cyber Crime Junkies (23:05.157)

Yeah, they teach you that in law school. Like, don't ever ask questions if you don't know, if you don't have a good hunch about what the answer is going to be. Yeah.

Shawnee Delaney (23:10.122)

Right? Don't go there. But when we recruit, we're dropping our cover, right? Whatever cover I had for that operation, for that developmental source, I am now saying, hey, I'm actually Defense Intelligence Agency. I want you to work with me and provide sensitive and secret information. You know, that's a big deal. So when we recruit someone and then they say, yes, it's good to go, it's kind of like being married. So in a marriage, you might

or you might give like a honey -do list, right? Now we're giving that asset, recruited asset, a list of taskings. Bring me this information, bring me that information. And we're teaching tradecraft and we're teaching them how to stay safe. Exactly.

Cyber Crime Junkies (23:41.562)

Right.

Cyber Crime Junkies (23:51.087)

And they do that because you've established trust and friendship. And then you in turn will provide them with things, whatever their needs are,

Shawnee Delaney (23:58.036)

Exactly. Exactly. And so we will handle them with the next phase and then we will terminate and termination is not violent. But maybe they don't want to do it anymore. Maybe they lost their access. Maybe they started to go a little wonky. That's when we sever the relationship.

Cyber Crime Junkies (24:01.989)

Cyber Crime Junkies (24:14.297)

Right. Right. Just like the okay, just like a divorce or a breakup or whatever. Yeah. Okay. Yeah. Interesting. So interesting. So what's the difference between insider threat and insider risk?

Shawnee Delaney (24:19.982)

Just like a Firm, final.

Shawnee Delaney (24:32.782)

Good question. So look at insider risk as the risk you have by employing humans, full stop. So humans make mistakes, humans take shortcuts, humans have alternating motivations, humans are fallible. So that's your human risk. We all have it. Insider threat.

Cyber Crime Junkies (24:41.521)

Okay.

Cyber Crime Junkies (24:50.608)

Shawnee Delaney (24:55.502)

So insider risk is left of boom, if you would, before the bad things happen. Insider threat is after the bad thing has happened. And that can be malicious, that can be unintentional or negligent, like I talked about, and that can be compromised. Someone who basically, like a threat actor, has taken advantage of that unintentional or that negligent person to compromise those credentials, for example.

Cyber Crime Junkies (24:59.002)

Right.

Cyber Crime Junkies (25:17.153)

Absolutely. And they can and they can both be massively devastating.

Shawnee Delaney (25:21.73)

Yes, yes. Typically the compromised category costs organizations three times more per incident than that of a negligent insider. And you can imagine why if someone's getting into a network through it versus someone printing from home or emailing themselves something or things like that. So that category of compromised insider is really, really devastating. But when you get up to malicious and that's the smallest category statistically.

When you get into that malicious category, fraud, sabotage, espionage, theft of intellectual property, workplace violence, et cetera, those two, depending on what it is, can be incredibly devastating. Sabotage in particular, when you have someone who has been disgruntled, yes, yep, really bad, especially if whatever they're doing, they've got that natural access to do it. It's going to take a long time for organizations using their tools to detect.

Cyber Crime Junkies (26:02.809)

like a disgruntled employee or something like that. That can be really devastating. Yeah.

Shawnee Delaney (26:16.526)

let's say they planted a logic bomb or stole admin credentials or things like that, it can be really hard to detect until it's too late.

Cyber Crime Junkies (26:24.667)

Well, again, a lot of organizations, in my experience anyway, don't do a phenomenal job. There are exceptions, but generally speaking, they really don't do a phenomenal job in off boarding correctly. There are still a lot of former employees that have their emails are still active, like, you know, for for just doing whatever services we might be proposing or engaging with a client, we will.

you know, find lists and lists of like hundreds of employees that no longer work here. I'm like, you do realize that their credentials are still live, right? that's really, so that would be that's massive inside risk, essentially.

Shawnee Delaney (26:54.68)

Yes.

Shawnee Delaney (27:11.147)

It is, and I think what companies don't realize, or organizations, not just companies, they don't realize that there are a lot of basically free or cheap things that they can do to mitigate their human risk really substantially when it comes to employment, life cycle management and off boarding is that tail end of that cycle, if you will. Yeah.

Cyber Crime Junkies (27:25.893)

yeah.

Cyber Crime Junkies (27:31.217)

Right. Yeah, that's exactly right. Because half the time it's because it fell on somebody's desk to do and that's a massive project. And meanwhile, we have them doing 50 other things.

Shawnee Delaney (27:42.316)

Yes, exactly, which that right there is your insider threat because they're stressed, they're distracted, you know, they've got all these competing priorities. And so things are going to slip through the cracks at a time when you don't want it to.

Cyber Crime Junkies (27:52.431)

And there's nobody above really watching. This is a threat. This is an insider threat. It's not like a network you can monitor and see that necessarily.

Shawnee Delaney (27:56.652)

Right. Right.

Shawnee Delaney (28:01.57)

Right, I mean, there are amazing tools out there. There are amazing tools out there. But those are to supplement having a legitimate program, making sure your HR, your hiring managers, your C -suite, making sure everyone has bought in, and then making sure that your whole enterprise speaks the same language. Everyone needs to know how they could leave you vulnerable, how those shortcuts, you know, when they're skipping a policy, I know the policy, but I don't wanna, it's just me.

Cyber Crime Junkies (28:25.746)

Absolutely. Right. Yeah, that's exactly right.

Shawnee Delaney (28:31.18)

That, yeah, all of those things kind of holistically make you have a much stronger program and mitigate your human risk quite substantially.

Cyber Crime Junkies (28:39.971)

Yeah, yeah, another example you mentioned briefly, you kind of gleaned over it. And that is like people just emailing themselves stuff happens all the time. I want to make sure I do this. this is important, but I want to see it later. Or I found this somewhere. And I want to read this later. And they do that. And there's so much data in people's inboxes, or their sent folder, right? Like they've sent out these documents, or they've sent it internally to somebody.

Shawnee Delaney (28:47.116)

Mm -hmm. All the time.

Shawnee Delaney (28:53.208)

Yes.

Shawnee Delaney (29:02.616)

Yep. Yep.

Cyber Crime Junkies (29:09.019)

There's so much confidential data that a compromise of one email account has much more than being able to escalate privileges and getting beyond that email account. There's so much data in just any employee's email box. Right. Yeah. Especially. Yeah. That's a great phrase. They are digital hoarders because you just never know. Like, well, this is interesting. I want to read about this later or

Shawnee Delaney (29:26.444)

People are hoarders. People are digital hoarders. Yeah.

Cyber Crime Junkies (29:38.533)

I don't know if I'm going to be asked about this in some meeting later, so let me hold on to it. Rather than put it in a encrypted folder or on an external drive or something that's separated, air gapped, it is right there, right in your inbox. Yeah, that's a big deal.

Shawnee Delaney (29:38.542)

Yes. Yes. Right.

Shawnee Delaney (29:49.87)

Mm -hmm.

Shawnee Delaney (29:53.614)

Right. Yes, 100%. I think, I mean, look, there's all kinds of analogies we could use for that, for the hoarding thing, but people just need to recognize that those little cyber hygiene best practices, those little steps, like what you were just talking about, or I don't know, there are just so many little things that if you add up, adds to more security. It's like a security onion, if you will.

Cyber Crime Junkies (30:19.72)

yeah, it's so true.

Shawnee Delaney (30:23.084)

Right? Each layer, it's little, it's thin, but each one adds to protection. And so when you have so many, ultimately that bad actor, whoever's targeting you, they're going to go on to the next organization if you've got more layers, so to

Cyber Crime Junkies (30:39.501)

Right. No, that's exactly right. I mean, we kind of explain that to people in that you don't need like if they focus on you and stay on you, they're going to get in like someone's going to get in. Even if it comes like me stopping by with a box of donuts, you're going to let me in the building eventually. Like I'm getting in. But the issue is more you want to make it such a hassle.

Shawnee Delaney (31:00.543)

Right, right,

Cyber Crime Junkies (31:07.441)

and so much time. It's like good passwords, right? If you make it hard enough where the software just keeps spooling, they're going to move on because there's still other 15 other organizations that are still using password for their password and whatever. Yeah, exactly. Right? Yeah.

Shawnee Delaney (31:09.166)

Yes.

Shawnee Delaney (31:19.982)

Mm -hmm and like Windows 2, you know, right, right. No, it's absolutely true. It's absolutely

Cyber Crime Junkies (31:28.483)

Unbelievable. So what are some of the motivations or triggers that you see that create insider threat? Like for me,

I could be wrong, but I've always thought of insider threat programs at an organization. What they're looking for are certain life triggers. if you know something like when you see when you hear these stories about an admin at a local government, right? All of a sudden, you know, pilfer's off 40 million bucks, right? And her salary was $60 ,000 a year, but she just bought

mansion and you're like, well, okay, but it's usually like trigger like there's certain signs that you can see or something is taken because somebody's family member has cancer and they're the deductibles too high and it's like that life trigger that they're like they feel no other like they have they need that money. And it's it's those things. So how do how do organizations identify them? What do they do?

Shawnee Delaney (32:25.442)

Mm -hmm.

Shawnee Delaney (32:40.813)

Yeah, so good question. There's something called the critical pathway that doctors Eric Shaw and Laura Seller came up with. And what they say, and I totally subscribed to this, I've seen it, it's textbook like every case, is we have personal predispositions. We all have personal predispositions. You do, I do, everyone listening does. Some of those predispositions just makes people higher risk to commit a malicious

narcissism for example if anyone knows a narcissist you're like nodding right now like yep mm I see yep great so let's say you've got someone who's a narcissist maybe they have a problem with authority that does not make them an insider threat however you add in what you're talking about you're adding stressors I like to say there's personal stressors maybe relationship issues financial issues

Cyber Crime Junkies (33:08.121)

Sure.

Cyber Crime Junkies (33:13.665)

Yeah, if anybody's been called a narcissist. Yes. Okay.

Cyber Crime Junkies (33:24.751)

Right, interesting.

Shawnee Delaney (33:34.926)

There's professional stressors, maybe you don't feel valued at work, maybe you didn't get a promotion you expected. And then there's external stressors that I think when COVID started, I really started talking about external stressors because COVID was an external stressor that no one could control. It affected all of our lives in pretty much every capacity. And it really impacted people substantially. That's why fraud and theft of IP skyrocketed during COVID. So you've got those stressors, you compound that with those personal predispositions.

Cyber Crime Junkies (33:48.817)

Sure.

Cyber Crime Junkies (33:59.343)

Absolutely.

Shawnee Delaney (34:03.894)

And that's when someone's pattern of behavior starts to change. So organizations need to, yes.

Cyber Crime Junkies (34:09.074)

So it's an anomaly. It's almost like how SOC services or SIM or MDR can detect an anomaly in a network, right? Something funky, like just something odd outside of the standard operating business practice. The human behavior has those same anomalies.

Shawnee Delaney (34:20.854)

Right, right.

Shawnee Delaney (34:32.364)

Yes, it does. But if your employees don't know what that means, if they don't know what to look for, if they don't know what to do if they see something abnormal, you're screwed. Period. You'd have all the tools in the world. That's great. But having people know that it's safe to report a concern, know, someone's acting weird. Well, they just had a baby. That's that's writing it off. You're not doing a risk assessment. You're not digging

Cyber Crime Junkies (34:45.209)

Right. Right.

Shawnee Delaney (35:01.794)

Well, maybe that person has financial issues. Maybe they're disgruntled. Maybe there's a whole list of other issues. So if employees report concerns, hey, Mary's acting weird. I don't know what's wrong. Or suddenly there's affluence that never happened. If the company will intervene, if they'll offer EAP support, if they'll do a risk assessment, that's when you can pretty much mitigate that risk. That's your opportunity. But if they don't do that, if no one reports it, or the company is like,

Cyber Crime Junkies (35:21.135)

Right.

Shawnee Delaney (35:30.728)

it's fine, know, sleep deprived. That's when that person's allowed to continue walking down that critical pathway until there's that trigger and they commit a malicious act.

Cyber Crime Junkies (35:31.917)

Right. See something, say something.

Cyber Crime Junkies (35:41.445)

then how do employers handle confronting that person? Because sometimes it's negligence, right? Like sometimes it's more just, you okay? What's going on? You we noticed this is happening. You know, if we could solve it, wouldn't you benefit? Like there's still positive, productive ways of doing that. Because then you might be able to tell whether it's really intentional

Shawnee Delaney (35:46.39)

It depends on the case. Yeah.

Yeah, right. Exactly.

Shawnee Delaney (36:03.566)

100 % 100 % Yeah,

Yeah. And I'm going to go back to my empathy. Empathy is great for espionage, but it's also great for business. if you can not confront, but you know, if you talk to that person with empathy, genuine empathy, we are here to help you. We want you to keep your job because it's going to cost more, right? If you're off ward and we have to hire someone, everything there's, that's a whole nother can of worms. But the goal of everyone is to keep you in place and make sure you're happy and healthy. What can we do to help

Cyber Crime Junkies (36:13.701)

Yeah, yeah, absolutely.

Cyber Crime Junkies (36:24.409)

Cyber Crime Junkies (36:27.757)

right yeah

Shawnee Delaney (36:37.335)

here are these services, take some time off. Maybe in some extreme cases I've seen, they've brought in operational psychologists to actually evaluate that person and make sure they're fit for duty. So there are a lot of different things organizations can do, but ignoring it is just gonna make your problem worse in the long run.

Cyber Crime Junkies (36:44.325)

Hmm?

Cyber Crime Junkies (36:55.573)

Absolutely. So the master's degree in industrial organizational psychology, how does that fit into insider threat and insider threat protection? Yeah.

Shawnee Delaney (37:01.57)

Mm -hmm.

Shawnee Delaney (37:07.202)

I get a lot of questions about that actually. I joke I'm just trying to add something really long again to. Right. So industrial organizational psychology really focuses on the psychology, the culture of working environments, of employers and things like that, of workplaces. Yeah. So I look at it like this.

Cyber Crime Junkies (37:11.651)

Yeah, just another thing that they have to have two pieces of paper so your diploma is really big.

Cyber Crime Junkies (37:29.265)

So that's directly related.

Shawnee Delaney (37:34.322)

I used to recruit the vulnerable insider. So I was the malicious actor. Number one. Number two, working in these companies, standing up their programs, doing the investigations. I understand it from that angle as well. The mitigation, the cybersecurity angle, right? The third angle for me is for the customer, for the companies, for those organizations. How can I help them affect change, positive change and shifting their culture? Cause a lot of times

When I'm doing human risk assessments, a lot of times it really boils down to culture and cultural problems and morale problems. So that's where the IO psych comes

Cyber Crime Junkies (38:12.539)

Got it. Makes perfect sense. Yeah, I know, exactly. So when the, a human risk assessment for an organization, what all does that

Shawnee Delaney (38:15.278)

Plus who needs sleep, David? I mean, really.

Shawnee Delaney (38:27.8)

So what we do is we do a really deep dive into all their policies, procedures, playbooks, processes, number one. We do one -on -one interviews, confidential interviews with all the stakeholders and then some random employees from the very, very top all the way to the very, very bottom. And we're looking at culture, like I said, culture, morale, organizational problems, roadblocks, and then micro stressors. They've done studies, micro stressors, things that like,

Cyber Crime Junkies (38:35.376)

Hmm.

Shawnee Delaney (38:56.706)

just annoy you every day at work, know, the process is broken and every day it causes me a headache. Those micro stressors snowball faster than anything else and can cause disgruntlement faster than anything else. So we're assessing all of that. Exactly, exactly. And with productivity, morale, right? So we do a deep dive in that and we tell organizations what they're doing well, where they can improve, and then basically give them a roadmap for how they can move forward.

Cyber Crime Junkies (39:08.882)

And productivity can improve if you fix those, right?

Cyber Crime Junkies (39:15.129)

Right, absolutely.

Shawnee Delaney (39:25.014)

and build out a more solid program. Yeah.

Cyber Crime Junkies (39:27.297)

Excellent. That's so interesting. So where's the line between cybersecurity, right, and insider threat? Because

you're a master at looking at a cybersecurity incident and like, this is an insider threat because of this. I mean, when we think of that, the guy that walks into the casino, most people would look at it, well, that's a cybersecurity incident. They didn't encrypt the thermometer correct. They didn't configure or segment air gap, the different networks. And they're looking at it from a technical perspective.

But it really is an insider threat, right? Like they didn't do that. So where's the line there?

Shawnee Delaney (40:20.438)

Yeah. They overlap. It's a Venn diagram. Right? So yes, there are cyber vectors. There are cyber vulnerabilities, but it wasn't a computer setting everything up. It was a person or a team. is, as Don Freese says, it is the skin behind the keyboard. And one problem I see pretty rampantly is that a lot of CISOs think it is that cyber problem. You know, it's all cyber.

Cyber Crime Junkies (40:23.534)

It is a Vendire.

Cyber Crime Junkies (40:27.867)

Mm -hmm.

Cyber Crime Junkies (40:33.691)

Right, exactly.

Cyber Crime Junkies (40:39.514)

Right.

Shawnee Delaney (40:48.258)

but they're totally discounting the people. Yeah. Right.

Cyber Crime Junkies (40:48.337)

Yeah, it's all in the binary zero and ones that can solve everything. And I'm like, it's not going to solve everything. Like it's not. I mean, look at the well and look at like social engineering, like social engineering is still involved, you know, either directly or proximately to like over 80 some percent, depending on which stat you pull, right of all the data breaches. I'm like, well, that's not code.

Shawnee Delaney (40:56.131)

is not going to solve everything. You have to look at the humans.

Cyber Crime Junkies (41:17.135)

Right. That's still negligence or intentional, right. Acts of, you know, taking advantage of negligence. Right. Which bring about the launching of code. All right. So I'm still on track

Shawnee Delaney (41:17.24)

That's not, that's a human.

Shawnee Delaney (41:27.242)

Exactly.

Shawnee Delaney (41:31.5)

Yes, exactly, exactly. No, you're on track. Everyone just needs to imagine that Venn diagram, but they're not a part with a little bit. It is very, very overlapped.

Cyber Crime Junkies (41:42.019)

Yeah, makes perfect sense. Wow. So employee lifecycle management, what does that mean? And is that something that needs to be on discussed in the, you know, the SMB space, the initiatives, the, you know, it needs to be on people's whiteboards. Like, how are we managing employee lifecycle?

Shawnee Delaney (42:07.68)

It does. I think when I think about it, managing the employee life cycle is probably one of the easiest, quickest things you can do and cheapest things you can do to mitigate your human risk. It's not even just a policy. It's like a set. Look at, look at it as a series of touch points throughout someone's career. If we have a career trajectory, right? Left to right. And on the left, we've got recruitment. So they're advertising for position.

Cyber Crime Junkies (42:18.437)

Yeah, it's really, it's a policy, right? Like it's creation of a policy

Shawnee Delaney (42:37.39)

Step one, advertise that honestly is my first bit of advice. If someone can't have a cell phone at work, put it in the job description. Because if you hire that person and then they find out they can't have their phone, you suddenly have a disgruntled employee and everything else is gonna upset them and it's gonna snowball. So that's a good example. So step one, right, right, and hide it, sneak it in. So advertise honestly. When you're doing recruitment and interviewing candidates,

Cyber Crime Junkies (42:38.299)

Yep.

Cyber Crime Junkies (42:55.289)

Right. Or they're going to violate policy. Right. Yeah.

Shawnee Delaney (43:08.078)

Hiring managers and HR business partners need to recognize that someone could be phenomenal in an interview. Their resume could be better than anyone they've ever seen, and they want to offer them a job. But before they do that, they need to have a series of questions. Maybe one person is designated culture person. Maybe everyone sprinkles it throughout the interviews. But they need to see if that person is a good cultural fit for that company. Because if they are not, you're going to have a Joshua Schulte case, that CIA software engineer.

Cyber Crime Junkies (43:32.901)

Yeah.

Shawnee Delaney (43:37.538)

who leaked a bunch of stuff to WikiLeaks on really sensitive programs at the CIA because he wasn't a good culture fit in his little office. my gosh, yeah. was WikiLeaks. The biggest leak in history is because this guy worked in a small office and he didn't get along with people. They had Nerf guns. It was kind of a frat house atmosphere. They nicknamed him nuclear option because they thought he overreacted to everything. But it was that he wasn't a good culture fit and they could have weeded that problem out.

Cyber Crime Junkies (43:45.369)

Really?

Cyber Crime Junkies (43:58.094)

Shawnee Delaney (44:07.264)

in the first steps and not offered him that assignment. So that's a huge, again, free, it's free, it's easy, just do it right. And then throughout the rest of someone's life cycle, you've got development, right, and retention, making sure, you know, if someone's struggling at home being a single parent, for example, or offer those interventions, offer that support, because if you don't and you force them into the office or what have you, they're gonna get disgruntled and that disgruntlement is key and then that snowballs into that trigger.

Cyber Crime Junkies (44:11.27)

Absolutely fascinating. Right. Yep.

Cyber Crime Junkies (44:25.775)

Shawnee Delaney (44:37.058)

And then like we talked about earlier, ending it with off -boarding. If you don't do your termination, voluntary or involuntary, if you don't do it thoughtfully, and if you're not all, every HRP, every manager, off -boarding people, did you ever email yourself company information? Have you ever saved company information onto a hard drive? Those belong to us, we need those back. Nobody has ever asked me that anywhere I've ever been. Right. But how many people?

Cyber Crime Junkies (45:01.271)

Never. Never once. Yeah. Or did you save it to a Google Drive or a Dropbox that you own personally because it was easier to access from your phone or on vacation when you worked from home, right? And now there's corporate IP that is protected by cat123

Shawnee Delaney (45:05.742)

have hard drives or have stuff in their email from their previous employer.

Shawnee Delaney (45:13.676)

Right. Anything.

Exactly. When you're on vacation or,

Shawnee Delaney (45:26.274)

Yes. Yes.

Shawnee Delaney (45:31.212)

Right. Right. Right. Yeah. And then, and then another layer is just reputationally. So if you're not offboarding someone thoughtfully with empathy, they're going to go put you on blast on glass door or things like that. So all every touch point really has a big impact if you just do it right.

Cyber Crime Junkies (45:31.397)

Right? Like on your, yeah, on your personal stuff. Yeah.

Cyber Crime Junkies (45:44.294)

Mm -hmm.

Cyber Crime Junkies (45:57.061)

That's amazing. So I wanted to ask you about your time at Uber because Uber is such a fun company to to talk about too. And I mean, they've had their share of breaches and they're like, they can't catch a break. Like they're just like, doing great things and they've just transformed the transportation industry. And then they're like, they're getting breached

Shawnee Delaney (46:01.366)

Mm -hmm. It is. do. I love Uber.

Cyber Crime Junkies (46:22.353)

There's I mean, one case study is always like the MFA fatigue. I think their last breach involved. Yeah, like MFA bombing. Like what a great life lesson to learn that. Right. But, you know, it's so it's so interesting. So you were running or involved in the insider threat program. So what does that look like? And we don't have to talk about Uber specifically, but I want you to draw on those experiences. Like, what does that look like? Is it

Shawnee Delaney (46:26.914)

Yeah, MFA bombing, yeah.

Cyber Crime Junkies (46:50.925)

Uber cab drivers, are they getting mad? Are they going down the wrong street? They driving too long? Like, what is it? Like, what's the insider thread at Uber? that's walk us through

Shawnee Delaney (47:00.78)

is all I can say is thank goodness it didn't apply to drivers or partners because that's millions of people. Right.

Cyber Crime Junkies (47:04.721)

Yeah, because that was a whole mess. Yeah, that was a whole thing, too. There's so much going on with like whether the taxi unions and all like there was so much litigation and all that. was just a big mess.

Shawnee Delaney (47:17.238)

Right, yeah. So one could argue that those partners don't have access to Uber facilities or systems or personnel, right? So those were not within the scope of the program. Program was internal for contractors and for, yeah, yeah. Yeah, but it was a global program.

Cyber Crime Junkies (47:25.378)

Exactly. Yep.

Cyber Crime Junkies (47:32.955)

for Uber corporate, right, or Uber contractors. Well, and that's a good, right. And so what types of things, like what did you learn from working there? Like what aspects could you draw from without disclosing anything about how Uber operates clearly? But what aspects, you know, what experiences did you glean from that that kind of helps you help other organizations?

Shawnee Delaney (48:01.676)

Yeah, well, a lot. I could write a book. I think the first thing was, so I worked at Uber for six years and I was hired to stand up their insider threat program. When I first got hired, I joined a team that was all over the news, not until after I was hired, called Strategic Services Group, SSG. They were involved with the Uber Waymo thing. They're in the depositions. Like if you look up the documents, they're mentioned a

Cyber Crime Junkies (48:10.257)

It's a long time.

Cyber Crime Junkies (48:28.174)

Mm -hmm.

Shawnee Delaney (48:29.934)

So was recruited by this team and I was so excited to join. And as we were trying to build up momentum and get that C -suite buy -in for having an insider threat program, total chaos and turmoil. The CEO was fired, everyone above me left. Like literally I was like left standing like, hello? So what I learned there is that while I am, I'm a go -getter. Like I want to boil the ocean yesterday kind of thing.

Cyber Crime Junkies (48:44.261)

Hmm. Hmm.

Cyber Crime Junkies (48:49.915)

Right.

Shawnee Delaney (48:59.372)

What I learned is that when you're building an insider threat program, especially for a large organization, the thing with insider threat or human risk management in general, it touches every single stakeholder. Every department that's in your company is going to touch your program. so building that kind of kumbaya consensus can be really, really challenging, especially in times of turmoil. And so I had to basically take baby steps. So what I did is I focused, where's the most risk?

Cyber Crime Junkies (49:10.446)

Right.

Shawnee Delaney (49:27.158)

What assets do we want to protect the most? And instead of focusing on corporate, I first stood up the program for their autonomous technologies group. you know, ATG, obviously technology with driverless cars. That's impressive. So I pivoted to pitch, Eric Myhoffer, who ran that at the time, who I just adore. but basically focused on that. And once I could build out a proof of concept, could then pivot and say, look, everyone, it was successful. It has not impacted you.

We can help you and then move it into corporate.

Cyber Crime Junkies (50:00.503)

And did that cycle eventually happen or was there just turmoil and okay, good. Interesting.

Shawnee Delaney (50:04.342)

It did, it did, it did. But I think a lot of people try, like again, like I would have and I did, you try to just go and company -wide and let's go. And sometimes you can't do that. You've got to do the baby steps.

Cyber Crime Junkies (50:15.279)

Right.

Cyber Crime Junkies (50:18.905)

No, especially at a larger company, you kind of have to pick the department in which to make the it's almost a pilot program, right? You kind of do it and you execute and you have a case study and then you roll it out to other departments. So that's a good lesson right there. Yeah.

Shawnee Delaney (50:25.034)

Exactly.

Shawnee Delaney (50:30.356)

Exactly. Yeah, yeah. It's kind of like Survivor too. You know, don't want to get voted off the island. You want to be in an alliance. So you got to form your alliances and you got to play the game. Yeah.

Cyber Crime Junkies (50:35.749)

Yeah, right,

Cyber Crime Junkies (50:41.315)

Insider threat is a lot like survivor. That's good. That's a cool. Well, before I you go, I don't know if you're aware of this, but there's this thing called AI and it's kind of a big thing. Now it's kind of, I invented it. So yeah, I created it. Like some people created the internet. yeah, I created it. No. How did the intersection of AI and insider threat?

Shawnee Delaney (50:52.13)

I've never heard of that. Hmm, no, that's weird. Huh, that's a weird accent. Right.

Cyber Crime Junkies (51:09.609)

I come up with a thousand examples. Like what are you seeing in rolling out programs and addressing AI? Is it the AI use? Is it the various databases? What all are you seeing?

Shawnee Delaney (51:11.981)

It's huge.

Shawnee Delaney (51:23.31)

It's everything. thing with AI is it touches everything again. I actually, you mentioned the keynote speaking. My number one speech this year is focused on AI. 98 % of people are booking the AI speech. With AI and insider threat, you have to look at the pros and the cons and how AI can be used to not only help your organization, because there are wicked cool tools out there that can do that, but also

Cyber Crime Junkies (51:50.03)

Hmm.

Shawnee Delaney (51:51.374)

the threat vectors coming in at the organization, but at the employees themselves. So with AI, you know, I worry about from the insider threat angle, things like data poisoning, someone who's disgruntled and they get into your network and they, you know, mess things up, they ruin the integrity or the confidentiality or availability of your data. Spoofing, deepfakes, we've all heard the deepfake horror stories like that poor man who wired $25 million to a deepfake, you

Cyber Crime Junkies (52:03.023)

Mm -hmm.

Cyber Crime Junkies (52:13.54)

All about

Shawnee Delaney (52:18.998)

all of voice cloning, all of these things are real. And so the thing that I'm really pushing with insider threat is you have to educate your people on what the threats are to them and their families. I will always say, if you build good cyber hygiene at home, don't tell people, don't do this, this is our policy, you can't do this, because we tell you, it has to be, we care about you and your families. Here are all the tips and tricks and tools and everything you need to protect yourselves. When they do that at home, they're gonna bring it to work. Yes.

Cyber Crime Junkies (52:37.285)

Right.

Cyber Crime Junkies (52:43.809)

Exactly. Here's how to freeze your credit. Here's how to see if you've been breached. Here's how to protect your kids from sex extortion online. Here's how to if you do that, and it gets back to the whole I just think it's it gets back to changing behavior. If you want to change behavior, you can't just talk about policies and things. Because that's not that's

Shawnee Delaney (52:49.666)

Yes. Exactly.

Shawnee Delaney (53:01.592)

Really.

Cyber Crime Junkies (53:08.085)

landing on the part of the brain that drives behavior, right? You have to drive it to the emotional part. And that is, why are they doing it? Right? Like, why should they care about the company's cybersecurity? Isn't that IT's problem? No, no. Every time you get online, you have a responsibility. So why should you care? It's not just another thing we're asking you to do. But really what it is, is, you know, if we can help you care

Shawnee Delaney (53:11.17)

Totally.

Shawnee Delaney (53:15.861)

Exactly.

Cyber Crime Junkies (53:34.925)

and protect your family and protect yourself and your own FICO score and your whatever they care about, right? Then that digital hygiene that improved digital hygiene comes with them everywhere they

Shawnee Delaney (53:39.)

I see.

Shawnee Delaney (53:45.918)

Exactly. But you have to take into human nature into account. People are going to want to know what's in it for me. Great. You have a webinar. Right. Shani Delaney speaking. Big deal. Who's that? If you advertise what's in it for them, they will come. They will listen. But also I like to remind people too, that they've done studies and human attention span is one second less than a goldfish. Less than a goldfish. So when we're talking, I know.

Cyber Crime Junkies (53:59.685)

Yes. Yeah.

Cyber Crime Junkies (54:12.879)

I'm sorry, dude. Were you talking? I'm sorry. What did you say? Sorry.

Shawnee Delaney (54:15.234)

Who are you? What's your name? Yeah. If you're doing training and awareness, please don't do it the old boring way. You have to leverage what's going on in the world and pop culture and make things short and concise and to the point and put the benefits up

Cyber Crime Junkies (54:29.839)

Yep. I agree with that completely. Let's talk a little bit about, and I think you just mentioned it, but as we wrap up, the best type of security awareness and insider threat awareness training. It's something to me that's got to be short segmented, available everywhere and kind of job embedded. It's got to be like integrated into the culture.

Shawnee Delaney (54:51.458)

Yeah.

Shawnee Delaney (54:55.554)

Yes, it does. You have to have a security culture. When I interview people for these human risk assessments and I interview CEOs and I ask the CEO, what are your cultural values? When the answer is, support the customer. Right.

Cyber Crime Junkies (55:14.725)

growth, right? It's always growth. I'm like, growth for what? like, just like money is the result. Like growth for what purpose? Like, what's the?

Shawnee Delaney (55:26.626)

Right? Right. You have to be willing to get uncomfortable. You have to be willing to take surveys and take that feedback from your employees. You have to be willing to shift your cultural values. Those should be a living document. As your company changes, those values are going to change. So taking in that feedback, making sure I love and to bring back Uber again, what I really loved when Dara came in, that's the new, well, he's not new anymore, new CEO, second CEO.

Cyber Crime Junkies (55:53.947)

Mm -hmm. Yep.

Shawnee Delaney (55:56.258)

When he came in, they did a total readjustment of cultural values. The old values were like toe stepping was one of them. It was very aggressive. It was very like, we're gonna win at all costs. When they changed those, they did a survey and they let people offer suggestions for what they thought the cultural values should be, which I thought was brilliant. And they took a bunch of them and they added their own. And then they made it a big marketing and branding campaign. So it wasn't like, hey, read this policy doc, here's our cultural values.

It was on Zoom backgrounds, it was on t -shirts, it was in your performance metrics. Tie your performance to these cultural values and that's how you're gonna be rated. That was brilliant and they really did it right there.

Cyber Crime Junkies (56:37.529)

that's really good tying metrics to cultural values. That's phenomenal. I love that. Yeah, that's great. Well, Shani, Delaney, thank you so much. This was fantastic. So what's on the horizon? Let us know what public speaking are you going to? There's a lot of sessions going on. Are you going to do some specifically for organizations or associations coming

Shawnee Delaney (56:40.632)

Mm -hmm.

Shawnee Delaney (56:49.432)

Of Of course.

Shawnee Delaney (57:04.046)

I'm trying to think. I don't think I have any conference. No, I do have a couple of conferences coming up, but usually I'm pretty busy. September, October companies can book me out to do keynotes, webinars, things like this, where I talk to enterprise, enterprise wide. I tell cool spy stories. I try to get people to understand everything we've just discussed and how it will benefit them. I've actually, I've written a book on insider threat. We're in final editing right now, which I'm very excited about.

Cyber Crime Junkies (57:29.595)

That's exciting. When's that set to be released?

Shawnee Delaney (57:32.934)

I don't know. I'm hoping in the next maybe two, three months. I'm a bit of a perfectionist, so I keep adding stuff. And then I'm writing a children's book on cybersecurity as well. Yeah. Yeah. Well, there's none that touch on AI and the AI risks. I'll tell you that. Yeah.

Cyber Crime Junkies (57:37.061)

Well, that's great.

Yeah.

Cyber Crime Junkies (57:45.099)

really? fantastic. Yeah, there aren't enough of those. They're really not. No, no, it's it's well, that's fantastic. When those come out, please consider coming back because we would we would love to have you. We would love to dive into that. think that would be fantastic. So no, that's great. Well, thank you so much. And we will talk to you again soon.

Shawnee Delaney (57:59.192)

I would love to.

Thank you. Yeah, thank you. Thank you very

Shawnee Delaney (58:11.352)

Sounds good, thanks for having me, I appreciate it.

Cyber Crime Junkies (58:13.243)

Thank you.

Cyber Crime Junkies

Shadows Within: A Spy Unmasks How Insider Risk Affects Cyber Security

Listen to this podcast on