As a former Air Force intelligence officer, I'm very interested in counterintelligence. I've written about counterintelligence and the cyber-threat before. I'm reading a book about counterintelligence failures, and the following occurred to me. It is seldom in the self-interest of any single individual, department, or agency to identify homegrown spies. In other words, hardly anyone in the CIA wants to find a Russian spy working at Langley. If you disagree, examine the history of any agency suffering similar breaches. It isn't pretty; the degree to which people deny reality and then seek to cover it up is incredible.
In some ways this make sense. Nothing good comes from identifying a spy, other than (hopefully) a damage assessment of the spy's impact. Overall the national security of the country can be incredibly damaged, never mind the lives lost or harmed by the spy's actions. However, in case after case, the appeal to higher national security interests is frequently buried.
Reading this book, it also occurred to me that security has exactly the same problem. Spies are worse in most respects, and they could be equated to insider threats. However, just as with spies, in security it is seldom in the self-interest of any single individual, department, or agency to identify compromises. Despite the fact that an intruder is the perpetrator, the victim is often blamed for security breaches. The word "security failure" demonstrates that something bad has happened, so it must be the fault of the IT and security groups. (Imagine if a mugging was called a "personal security failure.")
Because of this reality, it seems that the only way to counter these self-interests is to task a central group, organizationally detached from the individual agencies, with identifying security breaches. In CI, this should be the job of the National Counterintelligence Executive (NCIX), but the Office of the Director of National Intelligence appears to have neutered the NCIX. In digital security, a headquarters-level group should independently assess the security of its constituents. These central groups must have the support of top management, or they will be ineffective.
Update: Fixed the "seldom" problem!