Thirteen years after Edward Snowden's explosive leaks, the former top civilian leader of the NSA, Chris Inglis, opened up about the agency's missteps and the hard lessons learned. In a candid interview, he discussed what went wrong, how to spot potential threats from within, and the concept of 'enculturation.' His insights offer valuable guidance for today's CISOs navigating a landscape of insider risks and media scrutiny.
What were Chris Inglis's biggest regrets about the NSA's handling of the Snowden leaks?
Inglis's primary regret centers on the NSA's failure to detect the warning signs that Snowden was a potential risk. He acknowledged that the organization placed too much trust in individuals without sufficient checks, and that its internal monitoring systems were not robust enough to flag suspicious behavior. Another regret was the lack of a proactive culture that encouraged employees to report concerns without fear. Inglis also regretted how the NSA initially responded—focusing more on damage control than on understanding the root causes. He emphasized that prevention is always better than reaction, and that a culture of transparency and vigilance could have altered the outcome.
How did the NSA miss the red flags that Snowden was a potential insider threat?
Inglis explained that the NSA's oversight mechanisms were flawed. Snowden had access to vast amounts of classified data as a system administrator, yet his behavior—such as downloading large volumes of files and asking probing questions—was not flagged. The agency relied heavily on technical controls like audits and access logs, but these were reviewed retrospectively rather than in real time. Additionally, the culture of trust within the NSA meant that colleagues were reluctant to report suspicions. Inglis noted that a combination of better behavioral analytics, regular security training, and a more open environment for raising concerns could have helped. He stressed that CISOs today must implement continuous monitoring and encourage employees to speak up.
What is 'enculturation' and why is it critical for security?
Enculturation, as defined by Inglis, is the process of embedding security values into every aspect of an organization's culture. It goes beyond mere training—it's about making security a natural, instinctual part of how employees think and act. Inglis argued that the NSA failed in this regard because security was seen as a separate function handled by specialists, not as everyone's responsibility. He believes that effective enculturation involves clear communication of risks, leading by example from top leadership, and rewarding proactive behavior. When employees internalize security as part of their identity, they are more likely to spot anomalies and report them. For CISOs, building this cultural foundation is just as important as deploying technical defenses.
What advice does Inglis have for CISOs on spotting potential insider threats today?
Inglis recommends a multi-layered approach combining behavioral analytics, regular audits, and a supportive reporting system. He urges CISOs to watch for patterns such as unusual access requests, after-hours activity, or unexpected data transfers. But technology alone is not enough; leaders must create an environment where employees feel comfortable raising concerns without fear of retaliation. He also suggests peer monitoring programs and anonymous hotlines. Another key point is to conduct exit interviews and monitor disgruntled employees. Inglis emphasizes that insider threats often stem from personal grievances or financial pressures, so human intelligence is as vital as technical tools. CISOs should balance trust with scrutiny and continually reassess who has access to sensitive data.
How should organizations handle media disclosures of security breaches according to Inglis?
Inglis advises a policy of proactive transparency with the media, rather than stonewalling or covering up. He learned from the Snowden affair that secrecy can backfire, leading to loss of public trust and more damaging leaks. Organizations should prepare factual, clear statements that acknowledge the breach without revealing sensitive operational details. It is crucial to coordinate with legal and communications teams to ensure consistency. Inglis also stressed the importance of internal communication before going public—employees should hear about the incident from leadership, not from news outlets. He warns against blaming individuals or deflecting responsibility; instead, focus on the steps being taken to remedy the situation and prevent recurrence.
What lessons about the balance between transparency and security did Inglis take away from the Snowden incident?
Inglis came to realize that extreme secrecy can ironically undermine security by breeding distrust and prompting insiders to leak. He advocates for a balanced approach where agencies and corporations are transparent about their processes and oversight while protecting genuine secrets. Oversight bodies, such as independent review boards, can help maintain trust. Inglis noted that the public's right to know must be weighed against operational needs, and that engaging with critics can actually strengthen security. He now believes that organizations should voluntarily share more information about their security practices, as this can build confidence and deter malicious actors. The key is to never let secrecy become a shield for mistakes.