Skip to main content

What Does an Insider Threat Analyst Do?

by Chris Brook on Tuesday December 4, 2018

Contact Us
Free Demo

Learn about what an insider threat analyst does, along with how they affect existing procedures, policies, and protection layers in organizations in Data Protection 101, our series on the fundamentals of information security.

An insider threat is a danger that an organization faces by its employees, business associates, contractors or third-party vendors who have access to the secured data, computer systems, secure servers and intellectual property of the organization.

Role of an Insider Threat Analyst

It is vital for an organization to perform a threat and risk assessment in order to protect itself from a possible insider threat. In order to assess the risk of an insider threat, the organization can hire an analyst or opt for an external resource.

The external resource, depending on the situation, could be outsourced, but this resource cannot have a vested interest in the company data, services, customers or clients.

The basic task of the analyst is to analyze the data collected for potential threats. The analyst is well versed with the latest techniques of measuring, implementing as well as designing self-learning code to gather data.  The analyst probes into the data and recommends ways to protect the confidentiality and integrity of the organization.

Insider Threat Analyst Job Description

Insider Threat Analysts are responsible for conducting analysis, providing assessments of known threats and vulnerabilities discovered, and identify policy violations, among a variety of other duties related to these broad responsibilities.

Common skills required for candidates include:

• Analytical problem-solving skills
• A keen ability to identify trends and patterns in data
• Organizational and cross-functional communications skills to disseminate and present findings to key stakeholders
• Familiarity with risk scoring and threat analysis tools
• Experience writing, testing, and deploying UAM signatures
• Experience with User and Entity Behavior Analytics
• Experience with Data Loss Prevention (DLP) security controls
• Familiarity with SIEM tools

Companies may also require specific background experience and other qualifications, such as:

• Bachelor’s degree (or higher) in a related discipline
• An active TS/SCI clearance
IAT II Certification
• Prior experience working in a Security Operations Center (SOC) or Network Operation Center (NOC)
• Project management experience and/or experience leading complex technical projects
• A minimum of 5 to 10 years of hands-on experience in insider threat analysis is typically preferred for Bachelor’s-level candidates, while those with advanced degrees may qualify with fewer years of hands-on experience.

Insider threat analyst salaries typically range from $75,000 to $110,000 per year, based on data from Salaries vary based on geographic location, industry, education, background experience, and other variables.

Blog Post

What is an Insider Threat? An Insider Threat Definition

The Function of an Insider Threat Analysis

Data Collection

Before the analyst begins data collection, they get a thorough understanding of the scope of the risk assessment in order to get a grasp on the procedures adhered by the organization. They will also get acquainted with all the technical requirements that are needed to access company data.

The analyst gets a stronghold on the multiple security systems, platforms, layers, firewalls, anti-virus and other security systems that are in place by the organization. They also analyze the operating systems, current security levels and protocols followed in each system.

The analyst documents procedures, practices and policies that need to be in place to begin the threat analysis process.

After that, the analyst carries out a survey and interviews key personnel regarding security procedures and identifies if there are any possible gaps or loopholes which may allow for a breach.

The analyst then extracts raw data to observe concerned behavior and activity of potential insiders. Apart from this, he/she also combines data from multiple sources to observe any anomaly in employee behavior.
The final step after data collection is to create and implement detection methods and strategies for insider threats and use advanced analytics to identify any irregular patterns in insider activities.

Risk Analysis

After data collection, an insider threat analyst then conducts a risk assessment, investigating the data and establishing a system that regularly extracts data to monitor any suspicious activity.
The analyst has the skills to quickly detect and analyze such activities and classify it as a minor, moderate, or high-risk activity. It is important for the analyst to take immediate action on any activity that has the probability of malicious intent.


The final step in an insider threat analysis – and one of the key functions of an insider threat analyst – is to make a recommendation on existing procedures, policies, and protection layers used by the organization.
Apart from reporting the findings of the assessment to management, the analyst creates a set of recommendations for mitigating certain risks and vulnerabilities. These could be suggestions to incorporate new procedures or eliminate those that are ineffective.

Moreover, there could be systems in place that are over-protecting, and discarding their usage could enhance cost savings.

The recommendations also provide clarity to management on making decisions on new product purchases, product testing and integration within existing systems. This also helps in improving standard operating procedures that directly affect system efficiencies.

Benefits of Having an Insider Threat Analyst

Although an Insider Threat Analyst does not directly contribute to the bottom line of the company, it is vital to ensure that there are no chances of a situation arising that could damage or destroy the integrity, confidentiality and reliability of the organization to do business.

An Insider Threat Analyst has expert knowledge of principles and concepts of intelligence and counterintelligence. This helps to keep a check on any hacker mindset, activity or behavior being noticed in an employee or associate of the organization. The analyst can raise a flag in any such event and prevent a malicious insider threat.

The other benefit of having an Insider Threat Analyst is that they help in building, maintaining and regularly updating an insider threat program for the organization. They also make recommendations to service policies, security architecture and provide mitigation strategies.

Threat analysis is not a one-time activity; it must be a continual process. When insider threat analysis is conducted regularly, companies can ensure that the security and protection mechanisms in place are in accordance with the policies established by the organization. In response to the growing need for qualified Insider Threat Analysts, more training programs, such as Threat Analyst Training from the CERT National Insider Threat Center, are being introduced to help professionals prepare for these challenging careers and meet the complex needs of today’s enterprises.

Tags:  Data Protection 101 Insider Threat Threat Intelligence

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.