A Former Spy Shares HR's Critical Role in Workplace Security

Mo: Welcome to today's episode of People and Strategy. I'm your host, Mo Fathelbab, President of International Facilitators Organization. People and Strategy is a podcast from the SHRM Executive Network, the premier network of executives in the field of human resources. Each week, we bring you in-depth conversations with the country's top HR executives and thought leaders. For today's conversation, I'm excited to be joined by Shawnee Delaney, founder and CEO of Vaillance Group, a consulting firm specializing in human risk management. Shawnee is a decorated former clandestine operations officer with the Defense Intelligence Agency, DIA, where she spent a decade conducting human intelligence operations worldwide, including four combat zone tours in Iraq and Afghanistan. After leaving the DIA, she brought her human risk expertise to the corporate world, establishing the first insider threat programs at companies such as Uber and Merck Pharmaceuticals. Welcome, Shawnee.

Shawnee: Thank you. I, I think, um, this is maybe not your average HR background, but I'm really happy to be here.

 Mo: Well, we are happy to have you indeed because it is not our average HR background. So, uh, let's start at the beginning of your career journey. And how did you first get into the world of human intelligence?

 Shawnee: Uh, well, I was a strange child. Um, I, uh, when I was very young, I learned what espionage was. I've always been a very curious person, probably to a fault. And if anyone, uh, remembers when the Marine Corps barracks were bombed in Beirut, Lebanon, I remember the newscast. It was Dan Rather 'cause my dad watched Dan Rather every night. And I remember Dan Rather's tone changed, and my dad put the newspaper down and he focused. I remember the images on the screen, and there was just something about that news story that piqued my curious little brain and I wanted to know why. Why do people... You know, what is terrorism? What... You know, I was too young, but... So anyway, I, I doggedly pursued it. Uh, I got a master's in counterterrorism, counterproliferation. I did everything I could to be marketable to get into intelligence, and ultimately I just wore them down.

 Mo: I love it. I love it. So really it made an impression on you from a very, very early age and you knew, "This is what I wanna pursue." That is, that is fascinating.

Shawnee: Yeah. And, and I will tell you that, like, I'm the kind of person where every job I had, be it a bartender. I wasn't a bartender. I worked behind a bar, but I didn't mix drinks. Working at The Gap. I worked at Disneyland. Like, I did all kinds of random things, and every job I had, I used the skills that I learned there to be a better case officer

Mo:  You know, I, I love that. Uh, I, I had a little retail background and my friend who was a- an incredible dentist, he says that's where he learned everything about dealing with his customers. So one thing leads to another.

Shawnee: Yes, absolutely. It's all people. We're all talking about people.

Mo: That's right. That's right. And I'm very curious to how we see, uh, how HR and terrorism are connected. We're gonna get there.

Shawnee: Oh, I can link it.

Mo: I know you do. I know you do because you wrote an article, and I did read it, uh, in the Winter 2026 issue of the SHRM People and Strategy Journal, where you mentioned that while working at the Defense Intelligence Agency, you were asked to recruit a terrorist. Uh, can you please tell us about that experience and, uh, what characteristics were you able to tap into to recruit that person?

Shawnee: So I, I worked with a number of people we would classify as terrorists. Um, there was one in particular who was very high-ranking at, uh, for a time in Al-Qaeda and knew Osama bin Laden and was just kind of a tough nut to crack. When you are trying to recruit assets, um, when someone's a source and you're trying-- you wanna task them and you wanna do different things with them to get intelligence, there are certain boxes you have to check. And with him, I couldn't get him to accept money. I would meet with him for nine hours a day, and I was trying to figure out why. You know, I'm the antithesis of everything Al-Qaeda believes in. Why would he meet with me? And I spent months just kind of trying to get into his head and building rapport with him, who again, you would think we'd have nothing in common. Uh, and it was really very interesting because that experience taught me so much about what I do today and what do I apply today when I'm helping organizations. And I think what was interesting is the characteristics, like you mentioned, that I used to recruit him specifically was a sense of family. Mm-hmm. We all have families, you know, whether we have kids or not. We've got parents, we got siblings, we have extended family. And tapping into his motivation of, of the family, both from parental figures and children, and sense of education. He was a highly educated person, and he had a hu- he had so many children. And I realized, like, he probably values education. And so when I finally was able to get him to take money, it was tapping into those. Every time I met with him, I, I gave him a big wad of money in an envelope, and he would always push it back and thank me and not take it. And when I had that kind of epiphany about the education and the family, I, I, before-- I stopped him before he pushed it back and I said, "This money's not for you. I actually, after this meeting, I want you to go down to the local bank and I want you to deposit this money, and every time we meet, I'm going to give you money for your kids' college education." And he took the money. And it was kind of, that was just a really pivotal moment where I realized we are all very different people around the world, but we are also all human.

Mo: And many of whom are concerned with preventing threats in the workplace, what are common characteristics for someone who could potentially be an insider threat and what are the early warning signs?

Shawnee: So there's really, there's no, there's no single characteristic that makes someone an insider threat. If you were trying to profile on demographics or personality or personal background, uh, it's ineffective and it's legally dangerous, as I'm sure, you know, your listeners are aware. What you need to be looking for truly is a change in pattern of behavior. You're looking for a behavioral change over time. A departure from someone's baseline, right? So when you, when you see these things, and it could be one thing, it could be 10 things, the trick is to, in my opinion, educate the workforce that-- Because HR doesn't see everybody every day. it's just a fact. People think you do. You don't. But their colleagues do. Maybe their manager does, but usually not. But to educate people that when they see that deviation from the baseline, that they need to report. Because in today's world, if someone is suffering from financial stress or personal stress, they're going through a horrible time in their life, they could be incentivized, they could be under duress or coercion. We don't know, and you can't judge a book by its cover. That could be your top performing employee. They've been there for 25 years. They would never do anything wrong, but you don't know what's going on behind closed doors. So when you detect that deviation, empowering people to report concerns is really, really super important.

Mo: So somebody has had a change in their patterns and, you know, something's going on. What does HR do to react?

Shawnee: Yeah. For me, gold standard, blue sky would be if HR had a really strong relationship with the security team, and they could work in partnership or the insider risk team, insider threat team. Hopefully, you have a team like that. If you don't, call me. Uh, but, but I think it's really important because HR should understand kind of the behavioral patterns. They can see that that person was on a PIP at some point. They can see the things that the security team doesn't see. But the security team is doing that investigation and the digital forensic, you know, investigation, and working in partnership, you can actually triage and you can intervene. When you think about mental health challenges, for example, again, you can't judge a book by its cover. So if you enable your employees to report, and then HR working in partnership with security, relevant security teams can triage that and determine, you know, is there a risk? Do a risk assessment. Is there a true risk? Is it physical harm? Is it self-harm? Is it, you know, harm to theft of IP or trade secrets? They can then intervene. They can offer EAP support. They can offer time off. They can do things to keep it left of boom, as we say, before the person does the bad thing.

Mo: Yeah. Yeah. Thank you. Uh, so in your journal article, you note that HR is often the first line of defense for insider threats because HR sees the human timeline. what does effective onboarding look like from a workplace safety and human risk perspective?

Shawnee: this is an important, um, question actually, because it's not just onboarding. I want you to look backwards, actually. Start with how you're advertising the job. If you are not advertising that job accurately, you're gonna already have someone who's a potential malicious insider when they start the job and realize they can't have their phone at their desk. I didn't know that, right? You're gonna have disgruntlement, and that's gonna snowball. So start with honest job descriptions and advertisement. With interviewing, when you're interviewing people, even before you hire them and onboard them, AI can make anyone sound brilliant. I can know exactly what your cultural values are. I can know all the things you're gonna ask me. I can even rehearse with AI. I can put a deep fake on my face, and AI can do the interview for me. So what you really need to do is you need to elicit if they are a good culture fit. Don't say, "What are our cultural values and do you align?" You need to ask creative questions that figure out if they are culturally aligned to your organization, and vice versa. It needs to go both ways. Because again, if you hire someone, they look great on paper and they've interviewed perfectly, well, then they get on board and they realize I don't like this culture at all, and then they're disgruntled. And then with onboarding itself, this is a really critical time because this is when you're kind of ingraining those cultural values through actions, not just words, you know, training, critical time. Uh, some of you probably are, are familiar with this, but Fast Company did some research, and they found that I think it was 48% of employees who had a bad onboarding experience said that they wanted to leave within six months. And then they've done studies, of course, uh, I think in 2025, there was a survey that found, like, it was 22% left within 90 days due to poor onboarding and training. And most new hires leave after poor onboarding, and it's because they're misaligned with the job that was described or the job that was experienced. There's, like, a weak connection to that team or the company culture. There's poor onboarding support or their lack of training, or they seem disorganized. I mean, I feel like we've all been there. Like, we've all had that job experience. Yeah. And then lastly, like, they just feel unprepared for the role, and so that's why you're setting them up for success if you kind of do that first phase correctly.

Mo: Yeah. So speaking of employee departures, uh, you know, obviously in some cases, uh, they are departed, and in some cases they choose to depart. Um, so why is off-boarding an employer's highest risk window for a threat?

Shawnee: I could talk for two weeks on this one. Um, you have to, you have to understand that access doesn't end at resignation, right? A lot of times, most organizations, they take days, they take weeks to revoke credentials or, uh, you know, do, do the checkbox, get their badge back, get their credit card back. I have, I still have documents and badges from jobs that I left decades ago- Mm ... that they never collected. That's a big problem. And then motivation peaks at the exit door. You've got resentment that's built. You've got financial pressure maybe. Maybe there's a competitor's offer. Um, all of that kind of creates the perfect cocktail when controls are the loosest because people are not, you know, if, especially if a manager knows they're gone, they're not paying attention. They've written them off already. Then you've got things, and they, statistically speaking, data exfiltration spikes in the final 30 days. So employees are kind of building their portfolio. They're downloading files. They're forwarding emails. They're copying client lists. A lot of organizations assume, well, they're a good performer, so we're not gonna, there's, we have nothing to look at. But if you do a 30-day look back, even if you're able to do a 60-day look back, you will see significant numbers of people who are taking your intellectual property. Um, also loyalty. Loyalty is transferred. Psychologically, that employee is already off to that next employer or the next vacation or, or what have you, right? Then, and kind of this maybe goes along with my first point, but IT and HR They move at very different speeds oftentimes. Again, that's why, and I'm probably gonna say this 50 more times, having that strong relationship with, with these security teams is so critical. So having, you know, checklists and, and, and things where you both are doing things in tandem, in unison is really important. I actually saw, I saw this firsthand where there was a gentleman who had been kind of just a, a pain, and we in the security team alerted HR that we thought there wa- there was potential for data exfiltration and physical, you know, fighting and stuff. Mm-hmm. So we had a physical security team around when the person was notified that he was gonna be terminated. I asked our HR business partner to terminate access the, the minute he walked into the meeting. We're waiting, we're waiting, we're waiting. We're in different cities. I, I'm curious what's happened. The meeting's come and gone. Hours go by. She's not responding. I finally get ahold of the HR business partner, and I say, "H- how did it go?" And she said, "Well, I, it... He took it really well." And I said, "Cool. Great. Did you shut off access?" And she said, "Um, yeah, like, uh, 5:00 today." And I said, "Wait, what? Why?" And she goes, "Well, he took it so well, and he said he wanted to just take some, you know, personal photos and files and stuff before he left." So we ran over and did a quick, uh, digital forensic examination, and this gentleman took everything. Mm. He took everything. So that's just a really good example of why.

Mo: So for our HR audience listening today, what two things would you advise them to do to protect their workplace?

Shawnee: I would say maybe first start with a baseline so that if there's deviation, it means something. You can't detect a threat that you've never defined as normal to start with. So documenting what normal looks like for every role, things like typical access patterns, be it physical or digital. What are their working hours? What's their communication behavior? How do they handle data? And again, strong partnership with security for that. And then make things like, um, behavioral observations really part of, uh, a manager's, like, one-on-one, um, touchpoints. Don't make it kind of those informal gut checks that manager's like, "Well, it seems weird." You know, you want, you want to make it a conversation. And then, and I'll hit it again, I really think it's important for organizations to have low friction, highly advertised, confidential reporting where people can report any concerns so that the appropriate team can intervene and, and do assessments. And then I would say the s- the second thing is, and I'm sorry to repeat myself, but it's just so important, is really close that gap between HR and security across the whole employee life cycle, starting from the beginning. When you're doing the onboarding like we were just talking about, bring in the security team, bring in your insider threat team, have them brief everybody on what, what controls, what are they looking at, you know, what are the teams there for, how do they protect them. Having those things is really super important.

Mo: Yeah. Uh, so I love all that. I want to get back to your, uh, very interesting career journey. And after a decade of national security and combat zones, what made you decide to bring these lessons to the corporate world?

Shawnee: Well, maybe it's a little different. It's different, right? I'm not gonna say it's boring because as everyone listening knows, every day can be a challenge. You're working with people. Um, there are not bombs and rockets falling around me, so that's, that's different. I think what made me decide to bring those lessons to the corporate world was, first of all, that lifestyle is incredible. It's incredibly difficult. It is very lonely. It is very stressful. Um, I spent years and years operating alone. Um, it's hard to get medical care, and I think when I, when I left and transitioned to the private sector, initially I felt this, this something was missing. I had this very-- I'm very mission-driven, and I had this sense that, you know, I, I used to save lives for a living, and now I'm saving these companies money. Like, that, that doesn't feel good. And so when I started my company seven years ago, what I, what I realized is that I, I have that sense of mission again. These threat actors, social engineers and fraudsters and organized criminal groups and nation states, they're using the same techniques and tactics that I used to use when I was recruiting assets, but they're using them for bad. And so if I can help educate our, our, you know, workforce nationally, internationally, it, it does give me a sense of mission and purpose again that I am contributing to, to national security.

Mo: Yeah. Thank you. Um, so what is it like, what was it like to build, uh, an insider threat program for a company like Uber or Merck? And did the executives immediately understand- ... the safety challenges as you saw them?

Shawnee: So I will... Yeah. I won't talk about them specifically, but I will say what's interesting just with those two, and I've built programs for many different entities now through my company, um, every line of business you can think of. What's interesting to me is it is more unusual for leadership and C-suite to understand insider threat or human risk and to support it. What I tend to see is that they think it's not gonna happen to them. "Our people wouldn't do that." When you're looking at companies like Uber and Merck, look what they do. You know, Merck is a research and development heavy organization. They're trying to save lives. Uber is a tech company. And so getting into that, what was interesting is their mission obviously is very different, but the culture is so different. And so one thing that I learned, what I took away from both of those specifically, is just how critical culture affects human risk. Culture can really drive human risk and give you more insider threat issues if it's a toxic culture. I've worked in many of them. I'm sure people listening have worked in many toxic cultures too. And you can see it, you know, when you've got that narcissist boss or that person that doesn't contribute and takes all the credit or, or all these different things. Actually, I posted on LinkedIn today about microstressors and how things like microstressors affect culture and affect insider threat. So tho- those two organizations were really advantageous to me and, and my learning, um, process just in, in seeing the differences in culture and how do you, how do you build a program like this for people who, you know, in a tech company, everyone wants access to everything and, and, you know. And then in the research and development space, they all know they're smarter than you, so how do you tell them what they're doing is wrong?

Mo: Yeah. Um, so I'm also reminded by, uh, the situation, the unfortunate situation with the UnitedHealthcare CEO, and I'm just wondering Uh, if, if that enters your, uh, domain, so to speak, as it relates to corporate security.

Shawnee: Yeah. So we don't focus specifically on the physical security side. But when you look at human risk, there are just so many layers to that. Like one thing I, I brief executives often, and one thing that I brief them on is that their inner circle actually makes them a target and can make them a target, be it from a social engineer or from a spy, from a malicious actor, from a competitor. If I wanted to target you, Mo, and you're the CEO of a company, and I can't, I can't quite get to you, well, your wife might be easy to get to, or your secretary, you know, your admin might be easy to get to. And so I think what people need to recognize is that their online presence, their social media presence, their public presence, that's not the only thing that makes them vulnerable. That inner circle also makes them more vulnerable because that circle is also least, uh, or I say less likely to be trained and aware that they could be a vector to get to you.

Mo: Yeah. Makes sense. So when you were doing intelligence work, uh, overseas, what did you learn about human behavior and motivation that still shapes the way you think about organizations and leadership today?

Shawnee: I would say here's something probably people don't want to hear. I, I've got a couple of these popping into my head. First is everyone is vulnerable at some time in their life. Everyone is recruitable under the right conditions. I often say, you know, we've all hit our personal rock bottom. If you haven't, it's coming, for sure, I'm sorry to tell you. Uh, but it's when we're at our lowest point, for whatever reason that is, that's when you are vulnerable. That's when, you know, organizations, they believe their people are immune to, to the things that, that are gonna get them. Also, I would say loyalty, it, it's situational. It's not permanent. Mm. In the field, you never, never assumed that loyalty held. We maintain that relationship, but we watch for drift. That's why we have counterintelligence, uh, reviews and investigations. Another one is grievance. Grievance is the most reliable motivator that I've ever encountered, even above money, above financial. And really truly the best predictor of future behavior is unre- unresolved past behavior. Again, it's those patterns. Those patterns will tell you, will tell you everything. And then the last one, I'm sorry this is probably too many, but I think that people will tell you everything if you know how, how to listen.

Mo: Say more about that. I, I think- How should we be listening?

Shawnee: It's with those patterns. What are people avoiding? What are they emphasizing? What makes them defensive? What do they care about? I learned to, to read that negative space in a conversation, and that skill is as valuable in a leadership assessment as it ever was in a safe house.

Mo: Beautiful. Uh, in your article, you also talk about, uh, people don't make change unless they're unhappy. Can you say more about that?

Shawnee: So it kind of goes along with, with what I was talking about with that rock bottom, right? Uh, a good friend of mine, uh, Jim Lawler, he's a CIA case officer. He's a national treasure. This man is, is a legend in my world. Uh, he said, "I've never recruited a happy person." Right? I, I quote him in that article. That's right. And it's so important that people understand that. When you look at someone's motivations or vulnerabilities, maybe they have a gambling addiction. Maybe, like I mentioned earlier, maybe their, their loved one has just passed away or they're going through a divorce or they have financial hardships. Whatever that is, those things are changing over time. If I assessed your motivation to commit espionage, Mo, when I recruited you was ideological, you didn't like your regime. Well, maybe six months later it might be something different. Um, I had a case where a gentleman, that was what he was recruited under, but then his wife passed away and he believed that his regime could have intervened, they could have saved her life- Ah but they didn't. Perception is reality. And so his m- main motivation changed to revenge, followed by political and ideological. So what I'm trying to say is, is that human risk, it's not static, it's situational.

Mo: Yeah. Uh, great, great, great insights. So, um, you've worked in espionage, combat zones, corporate boardrooms. Uh, which environment is actually harder to navigate?

Shawnee: Ha. Parenting. Parenting. Um, I'm kidding, but I'm not kidding. Uh, real- this might sound crazy, but I think, um, war zones and espionage are a bit more predictable. For example, tactics are studied. I studied, you know, I have a master's in counterterrorism. I knew what Al-Qaeda's ob- uh, objectives were. I knew how they would try to achieve those objectives. I knew we would get, you know, mortared and, and rocketed. But navigating the C-suite and the board and their competing motivations and priorities and personalities is hard. And I know everyone listening is like, "Yes." Look, you've got budgets that are dictating priorities, and not always the right priorities. You've got personalities that hold power that maybe they shouldn't or they have too much, and everyone is different. And I think that's what makes it so much more unpredictable and challenging.

Mo: And so you've seen people under enormous pressure, both in war zones and workplaces. What's something surprisingly universal about human behavior?

Shawnee: Hmm. Maybe that i- it's not how different people behave under pressure, it's how identical they behave under pressure. So if you strip away the uniform or the title or the country, what you find underneath is always the same thing. It is someone who needs and wants to matter. People don't break under pressure. They reveal under pressure. They-- The need to be seen is so much more powerful than the need to be safe. I've seen case after case of this. You know, you've got things like just, just belonging, that sense of belonging. That can override logic almost every, every single time. And everyone has their own narrative in life. I call it the soundtrack of life. You know, you hear a song on the radio and like, "That would play in the story of my life." Well, we all have this narrative, and that narrative is, is why I'm the reasonable one. Yours is why you're the reasonable one. Yeah. And so when people have unmet expectations, it's generally more dangerous than unmet needs.

Mo: The need to be seen is greater than the need to be safe. Yeah. That is profound. Yeah. Um, so if you had to describe HR leaders using intelligence agency language- What role would they play? Analysts, handlers, investigators, or something else?

Shawnee: That's hard. That's a hard one. Um, because i- in my opinion, and you're gonna hear a lot more of me with SHRM because I think you are so critical in this human risk angle, I think HR leaders are the most underutilized intelligence asset in any organization. If you think about it, they have access to the rawest, to the richest human intelligence in the building, and most of the time, nobody is tasking them properly, again, to use like intel language. So you're not gonna like this, but they're all four, really. They're tasked to be analysts. They have to interpret all of the behavioral data and the performance patterns and the engagement signals. They're functioning as handlers. I was a handler, right? I handled assets. So they're managing relationships with sources, the employees who are trusting them with sensitive information. They're navigating loyalty conflicts. They're keeping assets, or, or the talent, engaged and on mission. And they're-- that's all usually without ever being trained in the ethics of tradecraft, if you will, of that role I think investigators was the other one you said? Yeah. They, they are. They're called in as investigators, but it's only after the incident. It's never before the incident. Mm-hmm. They're always reactive. They're rarely resourced, right? And they're expected to really reconstruct these timelines that should've been monitored in real time, to be frank. And then last is administrators, right? That's the greatest intelligence waste in any organization. They, they-- That's not the only role. The... I think if you kind of reframe the question, maybe the role that they should own if they were intelligence, if I were building this intelligence apparatus inside a corporation, HR would be my station chief. Hmm. It would be the senior officer in the field with the deepest human access and the broadest network and the authority to task other functions based on what they're saying on the ground.

Mo: Well, that sounds like a whole new training arm for- ... HR leaders and, uh, I think that's a great opportunity. Uh, so Shawnee, last question. What is one piece of advice that has shaped your work or personal life?

Shawnee: Hmm. Well, the, the first one, this is not relevant. The first one that pops into my mind is I was told there's no crying in spying, so. Hmm. I always, I always tell myself that. Probably, uh, seriously, probably th-the most dangerous assumption that you can make about a person is that you already understand their motivation. I think the moment that you decide that you know why someone is doing what they're doing, you stop watching, you stop asking, you stop listening, you stop updating your assessment, and that's when they're gonna surprise you.

Mo: I love that. And that's where we'll end it for this episode of People and Strategy. Thank you.

Shawnee: Thank you for having me, and stay safe out there, everyone.