Over a decade after Edward Snowden’s explosive disclosures, the echoes of that breach continue to reverberate through the cybersecurity world. Chris Inglis, who served as the top civilian leader of the National Security Agency (NSA) during the leaks, recently offered a rare, candid assessment of the agency’s missteps and the enduring lessons for modern CISOs. In this article, we explore Inglis’s reflections on organizational failures, the challenge of detecting insider threats, and the critical role of “enculturation” in building a resilient security posture.
The Snowden Affair and Its Aftermath
In 2013, Edward Snowden, a contractor working for the NSA, leaked thousands of classified documents detailing global surveillance programs. The fallout was seismic, sparking heated debates about privacy, government overreach, and national security. Chris Inglis was the Deputy Director of the NSA—the highest-ranking civilian—at the time. More than ten years on, he acknowledges that the agency made crucial mistakes that allowed the breach to occur and escalate.
Inglis’s reflections are not merely historical; they serve as a cautionary tale for today’s CISOs. The dynamics that enabled Snowden—ranging from over-reliance on technical controls to a gap between policy and practice—remain remarkably relevant. As organizations face increasingly sophisticated insider threats, understanding those missteps can help leaders build more resilient defenses.
Mistakes Made: Acknowledging Organizational Failures
Inglis has been open about the NSA’s shortcomings. He points to three major areas where the agency fell short: oversight of contractors, overconfidence in technical monitoring, and a failure to foster a culture of accountability. While the NSA had robust security policies, execution was inconsistent. Snowden, a system administrator, had access to vast amounts of sensitive data without enough behavioral scrutiny.
Overlooking Insider Threats
One of the critical mistakes was underestimating how a trusted insider could bypass controls. Inglis notes that the agency focused heavily on perimeter defense and external threats, leaving a blind spot in internal monitoring. “We had the right tools, but we didn’t connect the dots on anomalous behavior,” he remarked. For CISOs, this is a stark reminder to implement user behavior analytics (UBA) and to question whether access privileges match job functions—especially for contractors.
Media Disclosure Challenges
When Snowden began releasing documents through journalists, the NSA faced a crisis of communication. Inglis admits that the agency’s instinct was to contain leaks through secrecy, but that approach backfired. He now advocates for a strategic approach to media disclosures: “You can’t just say ‘trust us.’ You have to engage transparently while protecting national security.” This advice translates directly to corporate incident response teams, who must balance legal obligations, public relations, and shareholder trust.
Enculturation: Building a Security-Minded Workforce
A term Inglis uses repeatedly is “enculturation”—the process of embedding security values into an organization’s DNA. He argues that policies written on paper are useless if employees don’t internalize them. The Snowden affair revealed that while the NSA had classified its most sensitive materials, the people entrusted with them were not fully aware of the consequences of mishandling them.
Enculturation involves more than training modules. It requires leaders to model secure behavior, to praise vigilance, and to create safe channels for reporting concerns. Ingis suggests that CISOs should regularly conduct ethical “red team” exercises that test both systems and personnel attitudes. When employees see security as a shared responsibility rather than a compliance checkbox, the organization becomes far more resilient.
Practical Advice for CISOs
Drawing from his experiences, Inglis offers concrete recommendations for today’s security leaders:
- Audit access relentlessly: Regularly review who has access to what. Snowden’s access was far broader than his role required. Implement least-privilege principles and conduct surprise audits.
- Invest in behavioral analytics: Traditional security information and event management (SIEM) systems may miss subtle signs. Use user and entity behavior analytics (UEBA) to detect anomalies like unusual data downloads after hours.
- Foster a speak-up culture: Encourage employees to report suspicious activity without fear of retaliation. Consider anonymous reporting tools and reward ethical concerns.
- Prepare for media scrutiny: Have a crisis communication plan that includes legal, PR, and leadership. Practice responding to leaks in tabletop exercises.
- Integrate enculturation into onboarding: From day one, new hires should understand how security relates to their daily tasks. Make it personal—show how a single leak can damage careers and the organization.
Conclusion: The Enduring Legacy of the Snowden Leaks
More than 13 years later, the Snowden affair remains a watershed moment for cybersecurity. Chris Inglis’s reflections highlight that while technology has evolved, human factors are still the weakest link. His regrets are not about the past but about missed opportunities to build a culture where security is ingrained, not imposed.
For CISOs, the lesson is clear: technical defenses alone are insufficient. A resilient security posture requires enculturation, transparent communication, and a relentless focus on insider threats. As Inglis puts it, “The best defense is a workforce that believes security is everyone’s job.” By heeding this advice, organizations can avoid becoming the next headline—and perhaps even prevent the next Snowden.
Key takeaways from Chris Inglis’s insights that every CISO should note: don’t let policy and practice diverge; learn from your mistakes; and never underestimate the power of enculturation. The Snowden leaks were a painful lesson, but they offer a roadmap for building a stronger, more vigilant cybersecurity culture.