What it Takes to Detect Insider Threats from Ford Motor Company’s Senior Analyst

Leading an insider threat program at a Fortune 100 company takes a certain skill set that can’t be molded into a single program or training certification. It takes a combination of capabilities and motivations to detect risk in some of the most challenging, unassuming places.

Dave Holder is a senior analyst with Ford Motor Company where he helps lead their insider risk program. He is a decorated former counterintelligence officer with expertise in national security investigations and operations, as well as corporate workforce investigations. His national-level awards include the National Counterintelligence Executive’s Investigative Team Award in 2014 and the Department of Defense Counterintelligence Team Award in 2009.

Key topics of Holder’s discussion with host Fred Burton include:

Key takeaways:

01:23: Dave Holder: There are a lot of things in the military that carry directly over. Most of us coming out of these types of environments struggle with that balance a little bit. And with leadership, generally speaking, I learned you can’t leave from behind. You have to be good at what you do as a practitioner. Have to be good with your people you’ve got to empower everyone and let them lead and innovate.

14:00: Dave Holder: When I think about the horizon I guess I could think about it in terms of where I think the enemy threat picture is going to use military terminology — defensively,  I have to react to what the adversary is doing, but offensively, can I create a framework that puts all of the odds in my favor. 

On the program building side of things, I think we need to put more focus into that and hopefully, some of the work MITRE is doing to build out an insider threat framework similar to MITRE attack for cyber defense will produce some of the applied research findings that will help us to get ahead of the curve. 

In the meantime, we have to continue to professionalize this field that we’re calling Insider threat or insider risk along the main core competencies. I think without those we’re not fluent enough with compliance professionals, privacy professionals, offices of general counsel, etc.. We have to be able to converse with them in terms they ah that they understand and that they care about.