Originally a Linkedin post, thus the tailored tone.
Before looking to technology to prevent a Snowden event, it is important to understand what motivates those behind insider threats. Before looking at expensive DLP solutions or encryption technology that will inevitably impact the end user experience and frustrate employees, one must understand what motivates whistleblowers, and understand the difference between whistleblowing, sabotage and burglary. What causes an employee to grow so dissatisfied and disgruntled that they sabotage their own organisation and livelihood?
Let’s leave aside briefly the non-trivial privacy concerns that Snowden raised and imagine he was an employee in a large organisation. Snowden was not a saboteur nor a burglar, the motivations behind his actions were not driven by financial or retaliatory intents. On watching the many interviews and documentaries, is it clear that Snowden is an independent, analytical thinker with an above-average intelligence, a person of strong personal values who places high importance on ethical behaviour. He also clearly has a passion for his work as an information security professional. Regardless of what one thinks of his motivations or politics, he has shown no signs of mental instability or resentment for his former organisation. He sounds more like a model employee. What led him to commit those actions whose results he was well aware would lead to the loss of a well-paid job and a comfortable life?
It is clear that he felt his employer was engaging in unethical and illegal practices, and he either had no way to raise his concerns without fearing repercussions, or he did raise them and was ignored. Taking the Snowden affair as an analogy, imagine he worked at Enron, or at Volkswagen. No one is suggesting that Volkswagen should have used better software development techniques to make their fraudulent car software harder to detect. No one is suggesting that Enron should have been more clever, and made their embezzlement and deception more ‘sustainable’, perhaps with the use of better big data and BI solutions. Yet this is exactly the reasoning we hear coming from information security vendor marketing shills. As if a technical solution can fix what is mostly caused by toxic work environments and bad management, even if it is made possible due to insufficient information security practices and processes.
Protecting critical data with good technical solutions and processes is still important, as there are many more cases of data theft were the motivations of the attackers are guided by self-interest, much like regular burglary. To again use an analogy, it is one thing to defend your home and family from burglars, it is quite another thing if you consider your family members a threat. Organisations are not the same of course, and the trust levels are lower too. This is the normal societal trust hierarchy, with close family being at the pinnacle, and work colleagues being just a couple rungs below, yet the analogy holds. What solution presents a better value proposition for dealing with a situation of internal family conflict, a hidden camera system or family counselling?
To consider technology in isolation from the normative and the societal is of little use in real-world risk management and information security. Investing in treating employees with respect, better pay and working conditions, better corporate governance, ethical business practices and more tolerance for atypical but original thinkers will probably provide a better return on investment than clunky systems which with enough determination – due to the need to balance security and usability – can usually be circumvented by determined attackers. For every Snowden there are hundred unimaginative employees who might lack the initiative for whistleblowing but also lack the originality and proclivity for independent, analytical thinking that are critical requirements for an organisation’s survival. Snowden’s skills and aptitude are exactly those skills of tech workers that has the tech giants tripping over themselves to find, poach and retain.
If employees feel valued and respected, if the work they do fills them with pride, if independence and critical thinking are encouraged, if business practices are ethical, then the best employees will also be the organisation’s best allies. Leaving time for management to focus on defences against burglars and criminals rather than on finding ways to make it harder for the most valued employees to do interesting things.