Nearly every day, some security vendor reaches out to me describing how its products and services could have prevented the Edward Snowden public-disclosure of NSA surveillance programs. These vendors talk about strong authentication, privileged account auditing, sensitive data controls, etc.
Yup, old Ed stirred the security pot in the vendor community but security professionals are also paying attention. In working with Vormetric on its 2014 Insider Threat Report, ESG research discovered that 45% of enterprise security professionals say that the Edward Snowden incident (i.e., his public disclosure about the NSA and its PRISM program) changed their organizations’ perspective on insider threats.
So everyone is focused on sensitive data discovery, classification, security, and monitoring. From a security perspective, that’s a very good thing, but it seems to me that some other important Snowdenesque issues have been virtually ignored. Yes, sensitive data security is critical, but CISOs need a perspective on privacy, culture, and business in addition to strong authentication, encryption, and logging.
In my humble opinion, CISOs should think through the whole Snowden affair and ask themselves and their organizations the following questions:
- Does your organization have any business processes that could be perceived as an invasion of privacy? Clearly, Mr. Snowden believed that the NSA was doing so; to the point that he was willing to publicly disclose the practice in spite of great personal risk. If your organization is keeping close tabs on employees, monitoring employee Facebook accounts, conducting background checks, or selling customer data to third parties, you may want to assess whether these business processes may be seen as offensive by some or a large number of your employees. If so, you are likely at risk for a Snowden-like event.
- Does your organization employ a large number of “millennials?” According to a poll conducted by Time magazine, 70% of those aged 18-34 thought that Snowden did a good thing in disclosing the NSA surveillance program as compared to 50% for ages 35-54, and 47% for those aged 55 and over. A Pew Research poll provided similar results. Millenials are known to be optimistic, tech savvy, and team players, but also somewhat fickle, narcissistic, and suspicious. They are also highly connected to social media in numerous forms (like Anonymous, which had 4chan, Encyclopedia Dramatica, and other social sites). Corporate executives (led by HR) should understand how their organization’s mission and operating procedures align with the millennial mindset. If it is out of balance, it shouldn’t come as a surprise when sensitive corporate secrets find their way to Facebook and Twitter.
- Does your organization have proper oversight over trusted contractors? While Edward Snowden’s name has become commonplace, journalists have all but ignored the fact that Eddie was not an NSA employee. Rather, Snowden worked for Booz Allen Hamilton, an NSA contractor (a.k.a. “Beltway Bandit”). Why isn’t Booz Allen being dragged through the mud in all this? Beats me because it should be. This brings me to my last question about trust and oversight when it comes to third-party contractors. It appears that Snowden was treated as an employee rather than a contractor - big mistake. Yes, there is a certain amount of trust inherent in outsourcing, but CISOs should embrace the old security adage, “trust but verify.” In other words, monitor and review everything third parties do on your behalf.
The security aspects of the Edward Snowden/NSA tale have captured the world’s attention, but this is really only half of the story. Smart organizations should also ponder the associated privacy ramifications, think about which groups they may be offending, and figure out whom they can and cannot trust.