Insider Threat Operations Center (ITOC)

3 Reasons Consulting•Charleston, SC

About The Position

The Insider Threat Operations Center (ITOC) Analyst / Technical Lead supports enterprise Insider Threat programs by conducting technical analysis of user activity data and alerts to identify indicators of malicious, negligent, or risky insider behavior. This role supports civil, workplace, counterintelligence, and law enforcement inquiries and investigations while ensuring protection of legal rights, civil liberties, and privacy. At the Analyst level, the role focuses on alert triage, behavioral analysis, reporting, and investigative support. At the Technical Lead level, the role provides operational leadership, quality control, prioritization, stakeholder coordination, and strategic oversight of Insider Threat operations. This position works closely with Defensive Cyber Operations (DCO) teams, Operations Watch Officers, subscriber Insider Threat Program Managers, and U.S. Government partners to ensure effective, compliant, and mission-aligned Insider Threat detection and response.

Requirements

Strong understanding of insider threat analysis and user activity monitoring
Experience analyzing host-based data and behavioral indicators
Ability to synthesize complex data into clear analytical conclusions
Strong written and verbal communication skills
Ability to operate with discretion and sound judgment in sensitive investigative environments
Ability to work independently and collaboratively in a team environment
Minimum of three (3) years of experience supporting Department of Defense or Intelligence Community Insider Threat programs (Analyst)
Minimum of five (5) years of experience conducting insider threat analysis and leading or overseeing Insider Threat operations (Technical Lead)
Subject matter expertise with Executive Order 13587, Director of National Intelligence National Counterintelligence and Security Center Insider Threat Task Force standards, and Department of Defense Insider Threat regulations and guidance (Technical Lead level)

Nice To Haves

Bachelor’s degree from an accredited institution
One (1) or more years of scripting or programming experience within the last three (3) years, including languages such as PowerShell, Python, Ruby, Shell/Bash, Java, C/C++, C#, Perl, or PL/SQL
Knowledge of data science techniques such as anomaly detection and machine learning
Expert-level understanding of insider threat indicators, user activity data, and behavioral analysis
Familiarity with foreign intelligence entity tactics, techniques, and procedures
Experience working in multi-tenant or service provider environments
Experience supporting Department of Defense or Intelligence Community Insider Threat programs

Responsibilities

Conduct technical analysis of user activity data and alerts to identify potential insider threat indicators
Triage alerts by correlating insider threat data with additional data sources to assess risk and intent
Develop hypotheses and perform behavioral analysis using available tools and datasets
Support directed requests in support of civil, workplace, counterintelligence, or law enforcement investigations
Incorporate complex data flows and contextual information into analysis and investigative assessments
Produce concise, accurate, and timely analytical reports for Insider Threat stakeholders and leadership
Present analytical findings to team members and management in a clear, actionable manner
Refine alerts based on triage results, current threat activity, and operational feedback
Contribute to development and improvement of Insider Threat processes, procedures, and documentation
Collaborate with Operations Watch Officers and analysts to support investigations, campaigns, and events
Provide day-to-day technical leadership of Insider Threat Operations Center activities
Set team priorities consistent with the mission and Defensive Cyber Operations priorities
Assign focused observation requests to analysts based on workload and skillsets
Review analyst reports to ensure accuracy, completeness, relevance, and timeliness prior to dissemination
Serve as the primary interface with Subscriber Insider Threat Program Managers and working groups
Ensure Insider Threat tools are properly configured to support effective alerting and analysis
Maintain accountability of Insider Threat personnel and address personnel concerns as required
Ensure Cybersecurity Workforce Framework (CSWF) and annual training compliance for Insider Threat team members
Support development and maintenance of domain-level documentation, including Concepts of Operations (CONOPs), Standard Operating Procedures (SOPs), and Desk Training Procedures (DTPs)
Ensure Insider Threat capabilities and documentation comply with Department of Defense Cybersecurity Services Evaluator scoring metrics, Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01B, and applicable policy directives
Collaborate with Insider Threat programs across the U.S. Government to share lessons learned and incorporate best practices
Coordinate with Technical Leads and management to support enterprise mission success