Keep Your Friends Close... But 'Their' Enemies Closer? When the Defenders Become the Threat.

Jim Leone

12/30/20253 min read

Over the past several weeks, I’ve found myself reflecting on a situation that underscored an uncomfortable truth about modern cybersecurity, one that isn’t often discussed openly. It wasn’t driven by a headline or a theoretical risk model, but by a real-world scenario that reinforced how much implicit trust we place in those with privileged access, deep technical expertise, and institutional knowledge. Two cybersecurity employees just plead guilty to carrying out ransomware attacks on the company they were defending. They conspired with ALPHV/BlackCat to extort millions.

Situations like this don’t always make the news, and when they do, they’re often reduced to isolated incidents or framed as anomalies. In reality, they’re signals, reminders that cybersecurity risk doesn’t exist solely at the perimeter, and that even well-intentioned, highly capable professionals operate within systems that can fail without proper governance.

For years, cybersecurity strategy has focused outward. Nation-state actors. Ransomware gangs. Supply-chain compromises. Zero-day exploits. Shadow IT. Cloud misconfigurations. We’ve built entire industries, tools, and careers around stopping external threats. But a recent case involving cybersecurity professionals who admitted to working with the ALPHV (BlackCat) ransomware operation forces an uncomfortable question into the spotlight...

So... What happens when the threat isn’t outside your organization, but inside your security team?

This isn’t a story about careless users, phishing victims, or disgruntled employees. This is something far more concerning. This is about trained defenders leveraging their expertise, access, and trust to aid attackers.

A Different Kind of Insider Threat

Insider threat programs traditionally focus on a familiar profile...

Disgruntled employees
Financial stress
Poor offboarding controls
Accidental data exposureAccidental data exposure

Those risks still matter, but they miss a far more dangerous category. The modern insider threat isn’t always emotional, careless, or unaware. Sometimes, it’s highly skilled, credentialed, trusted, and intentional. Security professionals sit at a unique intersection of risk...

They understand detection gaps
They know which alerts matter, and which don’t
They have privileged access to logs, tooling, credentials, and response workflows
They often operate with minimal oversight because “they’re security”

That combination creates asymmetric power. When misused, it can bypass controls designed to stop everyone else.

Remember My Friends... Trust Is Not a Control!

One of the most dangerous assumptions organizations make is that trust replaces governance. Security teams are often exempt, explicitly or implicitly, from the controls applied elsewhere...

Fewer access reviews
Broader privileges “for efficiency”
Limited monitoring of admin actions
Informal separation of duties

The logic is understandable. Security work requires speed, autonomy, and deep access. But trust without verification is not leadership, it’s hope. And hope is not a control.

Why I Believe This Risk Is Often Ignored...

Most organizations don’t want to confront this issue because it’s genuinely awkward and uncomfortable. It challenges some common and deeply held beliefs -->

That certifications equal integrity
That seniority equals reliability
That good intent is permanent

It also raises hard organizational questions -->

Who monitors the monitors?
Who reviews privileged security access?
Who investigates suspicious behavior inside the SOC?

Often, the answer is “no one... because we trust them.” Sometimes that 'Accepted Risk' becomes a blind spot.

Where I Think Many Organizations Commonly Fall Short

Across enterprises, I occasionally see the same gaps repeated...

Over-privileged security roles that are never revisited
No dual-control for destructive or high-impact actions
Limited logging and review of security admin activity
No behavioral baselines for privileged users
Little collaboration between HR and Security on insider risk indicators

So, What Needs to Change?

Addressing this risk doesn’t require paranoia or mistrust. It requires mature governance. Practical steps organizations should already be taking...

Continuous access reviews, even for security teams
Separation of duties within SOC and platform administration
Dual authorization for destructive or high-risk actions
Monitoring and logging of privileged activity, including security tooling
Clear ethical expectations and accountability, reinforced culturally, not just in policy

This isn’t about assuming bad intent. It’s about accepting that capability without oversight is risk.

The Skill Set / Leadership Reality...

The more skilled someone is, the more damage they can do. That doesn’t make security professionals untrustworthy. It makes them powerful. And power demands governance. Modern security leadership isn’t just about stopping attackers at the perimeter. It’s about acknowledging that risk can exist anywhere, even among those tasked with defending the organization. The goal isn’t suspicion. The goal is resilience. Because when defenders become the threat, the damage isn’t just technical... it’s institutional.