By all accounts, 29 year-old Edward Snowden is a man to be trusted. He has an impeccable background that includes a stint in the Army during the Iraq War. After breaking his leg in a training accident, Snowden was discharged and joined the CIA as a technical assistant. He ultimately came to the NSA defense contractor Booz Allen Hamilton with top security clearance and a sense of purpose.
The NSA employs the brightest intelligence people on Earth. Their charter under the United States Department of Defense delegates responsibility for the collection and analysis of foreign and domestic communications and foreign signals intelligence, as well as protecting U.S. government communications and information systems. As a Systems Administrator, Snowden had access to highly privileged, confidential and sensitive information.
Snowden left behind a girlfriend in paradise and a $200,000 a year career on a promising path. He is likely never going to see his parents again, and undoubtedly will be looking over his shoulder the rest of his life. Edward Snowden walked away from the life he knew. And took with him, the secrets of the NSA.
During Snowden’s 12-minute interview from Hong Kong, he mentioned something I find quite remarkable, “The only thing that restricts the activities of the surveillance is policies.” Yet, it’s the duality of these same types of policies that organizations need to have in place to protect and prepare themselves for exactly these types of security incidents. So goes the Russian proverb, Doveryai no Proveryai (Trust but Verify.)
We’ll never fully know the extent of the security controls of the NSA and the information lifted by Snowden. Yet, we see this type of incident all too often in our customer environments. We extend a level of trust to an employee or contractor, only to have that trust abused, resulting in loss of sensitive information. How many times have we seen a contractor work on an information-sensitive project for an organization, only to take that same information from a company and use it on their next project?
Security isn’t a product or a process. Security is a combination of tools, people and processes that enable organizations to reduce risk and protect their critical assets. However, as security professionals we too often focus solely on the protection aspects of our security program. We tend to overlook the reality that the game-changing ability of a security program is how well we’ve prepared and respond to a security incident. Have we thought through an incident and understand how to best respond? What is the impact on our business? Are we prepared to take corrective action and measures and understand the impact of a breach on our business and customers?
And the truth is; we cannot stop breaches of trust from happening. However, we can use a breach of trust, whether its from our own employee, contractor or business partner, as a catalyst for change within an organization. We can choose to embrace information security and make it part of our business. And with CDW’s help, we can design and implement information centric controls and a robust security program that will better prepare your organization for it’s potential breach of trust.