top of page

The Threats We Fund vs. The Threats We Ignore



The reality is this...We invest millions in detecting outsiders, but pennies in understanding insiders.


That imbalance is becoming NEGLIGENT.


What would change if you invested 1% of your external security spend into understanding your own people?


Most security, risk, and governance teams can proudly point to a tower of defences at the perimeter: SOC alerts firing off like Christmas lights, pen tests trying their best, red teams breaking things on purpose, and dashboards filled with shiny tools doing shiny-tool things.


It looks impressive. It is impressive.


But it also tells a story we don’t say out loud enough: The outside gets most of the attention. The inside gets whatever budget is left after the big stuff is bought and the applause dies down.


And it really is worth thinking about.


Because most of the costliest breaches don’t begin with an outside attacker. They begin with someone already inside the circle of trust...someone who misuses legitimate access, or makes a rushed decision under pressure that eventually tips into something far bigger than anyone expected.


In real cases, the pattern is almost always the same: The damage hits from the inside. Not always because someone intended to cause harm, but often because someone was rushed, cornered, or cut the obvious corner, taking shortcuts that quietly expose the organisation to risk.


The fallout lands internally too: Trade secrets stop being secret, IP and data leak out, fraud goes unnoticed, and operations get knocked sideways... And when it’s finally discovered, it’s not just an investigation. It can spiral into legal battles, forced rebuilds of entire systems, and huge investments to re-engineer operations, infrastructure, and security from scratch, most of the time costing far more than the original breach itself.


That’s the part no one budgets for… until they have to.


These insider incidents regularly run into the millions and often stay undetected for months, sitting in blind spots that organisations didn’t even realise were there.


By the time the alarms sound, the conversation has already moved from “How did they get in?” to “How did we miss it for so long?”


By the time they are visible, the cost is no longer measured in alerts. It’s measured in regret, investigation hours, public questions, and recovery budgets that balloon fast.


This isn’t about technology failure. It’s a call to spend smarter on people, culture, and governance.


Three Takeaways:


  1. Insider risk is a leadership and culture issue, not a tooling gap.

  2. Prioritise right-sized access, early behavioural signals, and safety to report.

  3. Track what matters: Time-to-notice, time-to-act, per cent access recertified, credible speak-ups, and repeat red-flag rates trending down.


Here's your move forward


Name the 1% Inside Budget and make it a board directive: Fund access hygiene, early-signal reporting, and speak-up culture. Tie it to three metrics executives track monthly: time-to-notice, time-to-act, and per cent of critical access recertified.


bottom of page