13 Years After Snowden: Former NSA Chief’s Candid Lessons for CISOs
13 years after Snowden, ex-NSA chief Chris Inglis regrets missed insider threat signs, urges CISOs to blend tech monitoring with human factors, manage media disclosures proactively, and foster healthy enculturation for security.
Thirteen years after Edward Snowden’s explosive leaks upended the National Security Agency, the man who was the agency’s top civilian leader during that crisis is sharing his regrets and hard-earned insights. Chris Inglis, who served as the NSA’s deputy director and later acting director, now offers a rare, behind-the-scenes look at what went wrong—and what chief information security officers (CISOs) can learn from that watershed moment.
A Leader's Regret: The NSA's Blind Spots
Inglis doesn’t sugarcoat the mistakes made. In a series of recent interviews, he pointed to a systemic failure to detect the warning signs that Snowden posed a threat. “We had all the pieces,” he said, “but we didn’t put them together in time.” The NSA’s internal security processes were robust, he admitted, but they were not designed to catch a trusted insider with privileged access who was acting on ideological motives.
The Cost of Missing Insider Threats
The fallout was catastrophic: hundreds of thousands of classified documents were exposed, damaging intelligence partnerships and national security. Inglis stresses that the lesson for CISOs is not just about technology—it’s about culture. “You can have the best firewalls in the world, but if you ignore the person sitting behind the keyboard, you’re vulnerable.”
Spotting the Next Insider Threat: Advice for CISOs
Inglis lays out actionable guidance for security leaders. He emphasizes that spotting a potential insider threat requires more than monitoring network traffic or access logs. It demands a holistic view that includes behavioral cues, changes in work patterns, and even personal stressors.
Beyond Technical Monitoring – The Human Element
- Encourage reporting: Build channels where employees can flag concerning behavior without fear of reprisal.
- Look for anomalies: Unusual data access, printing of documents, or after-hours activity should trigger a review—but not an assumption of guilt.
- Foster psychological safety: A culture that openly discusses workload, burnout, and disenchantment can help identify at-risk individuals early.
Inglis also warns against over-reliance on automated tools. “Algorithms can flag a thousand alerts, but only human judgment can discern the one that really matters.” Enculturation plays a key role here, as we’ll see below.
Managing Media Disclosures in a Crisis
When Snowden’s documents began appearing in The Guardian and The Washington Post, the NSA was caught flat-footed. Inglis reflects that the agency’s instinct to stonewall the press was a mistake. “We treated reporters as adversaries, when they could have been partners in responsible disclosure,” he says.
His advice to CISOs facing a data breach or public leak: Engage early and transparently. “The moment you lose the narrative, you lose control of the story.” Develop a media relations plan before a crisis hits, including designated spokespersons and pre-approved messages that don’t compromise security but still satisfy public curiosity.
The Critical Role of Enculturation
Perhaps the most talked-about concept in Inglis’s reflections is “enculturation.” He uses the term to describe how organizations instill values, norms, and loyalty in their workforce—for better or worse. At the NSA, he argues, the culture was so insular and mission-driven that it inadvertently created blind spots. Employees were trusted implicitly because they had passed rigorous background checks, yet that very trust became a vulnerability.
Enculturation done right means balancing trust with verification. For CISOs, it involves:
- Regularly reinforcing the why behind security policies—not just the “what.”
- Encouraging open dialogue about ethical dilemmas and the consequences of breaches.
- Rotating employees across different roles to prevent siloed knowledge and excessive privilege.
Inglis stresses that enculturation isn’t about creating a panopticon; it’s about building a shared sense of responsibility. “We don’t want a workforce that fears being watched; we want one that watches out for each other.” Spotting threats becomes easier when everyone feels ownership over security.
Conclusion: Turning Regret into Resiliency
Thirteen years after the Snowden affair, Chris Inglis’s reflections are a gift to the cybersecurity community. They remind us that the most sophisticated technical defenses can still fail if human factors are ignored. For CISOs, the path forward is clear: blend monitoring with mentorship, transparency with control, and trust with occasional skepticism. In doing so, they can build organizations that are not only secure—but resilient.
As Inglis puts it, “The enemy isn’t the person who disagrees with you. It’s the person who stops questioning.”