Insider risk advisory for organizations that take governance seriously.

Frameworks define the standard. They don't solve the problem.

Get in touch
About

There is no perfect program — only whether it works when it matters.

APC helps organizations understand where insider risk actually exists, whether current controls work in practice, and how to respond when something surfaces.

APC works with organizations to:

APC brings federal investigative experience and enterprise program leadership to that work — the perspective of having investigated failures and built the programs that get investigated.

Who We Are

Practitioner-led. Senior expertise. Every engagement.

Ian M. Quinn, NACD.DC, ITPM

Founder & Principal Advisor

Former Senior Executive Service (SES) official with DHS Homeland Security Investigations, serving as Deputy Assistant Director overseeing the Cyber Crimes Center and Investigative Services Division.

His career was built from the ground up as a federal criminal investigator with the U.S. Customs Service and HSI, and later extended into senior leadership within a global financial institution.

His experience spans investigative operations, enterprise program design, and board-level risk and governance. He currently serves as a Board Member, contributing to governance, enterprise risk oversight, and organizational direction.

At the enterprise level, his roles included:

Designing and leading a global enterprise security awareness program across 40+ countries, spanning cybersecurity, information security, and insider risk

Establishing and leading the U.S. Joint Operations Center—a 24/7 fusion capability coordinating response across cybersecurity, physical security, insider risk, and crisis events

Serving as VP, Insider Threat Consultancy & Engagement, leading enterprise-wide insider risk assessments and program implementation across global business lines

Certifications:

CERT Insider Threat Program Manager (ITPM)
Software Engineering Institute | Carnegie Mellon University

NACD Directorship Certification® (NACD.DC)

Additional leadership and service:

Secretary's Award for Outstanding Achievement in Diversity Management, DHS

Board Member (2025–present)

Chair, Virtual Global Taskforce (2012–2015)

Board Member, National Cyber Security Alliance (2016–2018)

What We Do

Practitioner-led. Independently delivered.

Investigative thinking applied to insider risk.

01

Program Evaluation

Is your program structured to succeed?

An independent, structured evaluation of your insider risk program — assessing whether it meets the standards that matter.

Grounded in authoritative frameworks (NITTF, CISA IRMPE, NIST, CMU-SEI) and applicable federal guidance, the evaluation examines governance, personnel, and detection capabilities across the full program lifecycle.

Data is gathered through interviews, document review, and direct observation — providing an honest picture of program effectiveness and a prioritized path to reduce exposure.

02

Vulnerability & Effectiveness Assessment

Are your controls actually working?

Identifies the specific gaps insiders could exploit — grounded in analysis of more than 1,600 real-world insider threat cases.

The assessment evaluates critical services across seven functional domains — Operations, HR, IT, Legal, Physical Security, Systems Engineering, and Technical & Business Processes — producing a clear, domain-by-domain view of exposure mapped to a defined preparedness scale with prioritized recommendations.

03

Program Design & Implementation

A policy is not a program.

APC designs insider risk programs that work under real conditions — for organizations starting from scratch, or with fragmented elements that don't yet add up to a coherent program. Governance structures, core documentation, and a phased roadmap aligned to your operational and regulatory environment.

04

Board Governance Advisory

Your board is accountable for insider risk. Are they informed?

Translating insider risk into board-level language — governance, oversight structures, director readiness, and the questions boards should be asking but often aren't.

05

Virtual Insider Risk Advisor (VIRA)

Senior expertise. There when it matters.

Senior expertise on a retained basis — providing continuity, strategic oversight, and escalation support without the cost of a full-time hire.

06

Human Risk & Security Awareness

Generic training creates compliance. Practitioner training creates culture.

Bespoke awareness and training programs grounded in real investigative experience — not generic compliance modules.

07

Insider Incident Response Advisory

Don't design your investigation protocol during the investigation.

When an insider incident unfolds, APC provides immediate advisory support — guiding investigation approach, evidence handling, and stakeholder management under pressure.

Specialist partners are engaged as required.

08

Trade, Customs & Supply Chain Advisory

Supply chain risk has an inside story.

Trade and supply chain operations carry insider risk most programs overlook.

APC provides advisory and investigative guidance grounded in federal experience — addressing exposure tied to insider facilitation, trade fraud, and regulatory risk.

Trusted Network

APC is intentionally boutique—built to scale when engagements require it.

A trusted network of senior practitioners—former federal investigators, financial institution leaders, and specialists in financial crime, insider risk, and organizational behavior—is engaged selectively based on the needs of each engagement.

Meet the Network →
Signals & Silence

Insider risk. In plain language.

Short articles drawn from practice — written for leaders who carry the accountability.

Signals & Silence No. 2

The Noise Was the Cover

Every year, organizations bring in a wave of temporary staff. They sign the AUP. They complete the mandatory training. And then the DLP queue fills up — while somewhere inside that flood, someone is counting on exactly that.

Read the article →
Signals & Silence No. 1

The Print Job Nobody Was Supposed to Notice

A well-respected senior manager spent the better part of an afternoon at the printer. A colleague noticed. A few days later, the manager resigned for a competitor. That's when the colleague paused.

Read the article →
View all articles →
Contact

Let's talk.

If you're assessing where your program stands, building something new, or navigating an active situation — let's talk.

Email
ian@afterperfectconsulting.com
LinkedIn
linkedin.com/in/ian-m-quinn

All inquiries are handled confidentially.