Insider risk rises as security shifts from the network to the individual, creating new challenges around identity and real-time verification.
Steve Layne, Chairman and CEO of RedVector, explains that every breach traces back to a human element and that trust now requires active validation.
He outlines a proactive approach that monitors workforce risk and uses fitness-for-duty checks to prevent incidents before they escalate.
Cybersecurity’s center of gravity is moving from the network perimeter to the person. The next frontier isn’t just stopping external hacks but confirming that every employee is who they claim to be and fit to perform critical work. Security is becoming an identity and verification challenge that now requires proof of both intent and real-time human capability.
Steve Layne is a serial entrepreneur and veteran cybersecurity executive, currently serving as the Chairman and CEO of insider risk management firm RedVector. His career includes leading major cybersecurity organizations at Lockheed Martin and Capgemini and building multiple successful startups, giving him a front-row view of how threats evolve long before they make headlines. For him, the security conversation must begin with the human element.
"Every breach, every attack, ultimately comes back to a human vector. There are no bots that have gone amiss, no AI automatically creating these exploits. It can always be traced back to humans. It's humans carrying these exploits out, and it's humans allowing the exploits to occur," says Layne. Technology may amplify risk, but he maintains that people remain the root cause and the first line of failure.
Redefining the problem: Layne says the only way to manage insider risk is to separate "risk" from "threat" and watch for signs that a person’s behavior is changing long before it becomes an incident. "All threats first started as a risk, but not all risks turn into threats," he says, adding that most problems begin with ordinary mistakes rather than malicious intent. That's why the outcome matters more than the motive. "The implications can be equally devastating, whether someone accidentally allowed someone else access to privileged credentials or somebody sold it for a half a bitcoin on the dark web."
The impersonation problem: The problem of insider risk has gained new urgency in a post-COVID world where traditional models of workplace trust have frayed. Layne points to cases where something as routine as hiring a new employee can turn into a national security risk. "Companies have been burned by trusting that they could hire that person over a Zoom call, doing the interviews and the background checks, only to find it was a front for a nation-state adversary."
The erosion of implicit trust, paired with the high stakes of an accidental mistake, is pushing some companies toward new solutions. The concept of using wearable technology for employee safety is now being extended to security, with some organizations experimenting with biometric monitoring for employees in critical roles.
Verifying fitness for duty: "Think about roles where a single lapse carries real consequences," Layne says. "If someone is transporting hazardous materials or sitting beside a critical control, you need confidence that the person on duty is alert, capable, and actually the one making the decision. That's what fitness-for-duty verification is really about." Security is shifting from implicit trust to active verification, with biometric access and fitness-for-duty checks pushing risk down to the individual employee.
Trust but verify: For businesses, that creates a new challenge: proving someone is ready to work in real time without crossing ethical lines. "It really comes down to trust but verify. I can trust someone to a point, but I still need to validate who they are and whether the information around them holds up. Once it clears that bar, I’m comfortable—though I’m not handing over my credit card."
Looking ahead, Layne says AI is creating "really fast superhighways," and society will need real guardrails to keep pace. The shift demands collaboration at a scale most industries aren’t used to, moving from individual safeguards to ecosystem-level protection. He points to the ISAC model as proof that it works, where direct competitors share threat intelligence because the cost of going it alone is simply too high.
"JPMorgan Chase, Bank of America, and Wells Fargo are going to compete on a lot of different fronts, but they’re not going to compete with one another in terms of security," he says. In his view, that’s the future: industries that treat security as a shared responsibility because they're stronger—and safer—together.
