Rarely a day goes by as an IT Security professional that one will not hear a security vendor or consulting firm using the Edward Snowden affair as proof that their security product is necessary for data loss prevention (DLP) protection. Insider threats must be mitigated, and whistleblowers such as Snowden are lumped together with rogue or disgruntled employees as an example of common insider threat actors. The reality is that whistleblowers are a unique type of actor at the cause of confidential data loss, and the response of information security to this type of insider threats is a perfect example of the contemporary dilemmas of IT security professionals today. What are the ethics of the profession? How can it provide the most value to the people and organisations it serves?
Before looking to technology to prevent a Snowden event, it is important to understand what motivates those behind insider threats. Before purchasing that expensive DLP solution that will inevitably impact the end user experience and frustrate end users, we must understand what motivates whistleblowers by understanding the difference between whistleblowing, sabotage and burglary. What causes an employee to grow so dissatisfied and disgruntled that they sabotage their own organisation and livelihood?
Let’s leave aside briefly the non-trivial privacy concerns that Snowden raised and imagine he was an employee in your organisation. Snowden was not a saboteur nor a burglar, the motivations behind his actions were not driven by financial or retaliatory intents. On watching the many interviews and documentaries, is it clear that Snowden is an independent, analytical thinker with an above-average intelligence, a person of strong personal values who places high importance on ethical behaviour. He also clearly has a passion for his work as an information security professional. Regardless of what you think of his motivations, he has shown no signs of mental instability or resentment for his former organisation. He sounds more like a model employee. What led him to commit those actions whose results he was well aware would lead to the loss of a well-paid job and a comfortable life?
It is clear that he felt his employer was engaging in unethical and illegal practices, and he either had no way to raise his concerns without fearing repercussions, or he did raise them and was ignored. Taking the Snowden affair as an analogy, imagine he worked at Enron, or at Volkswagen. No one is suggesting that Volkswagen should have used better software development techniques to make their fraudulent car software harder to detect. No one is suggesting that Enron should have been cleverer, and made their embezzlement and deception more ‘sustainable’, perhaps with the use of better big data and BI solutions. Yet this is exactly the reasoning we hear coming from DLP solution marketing shills for whom the Snowden affair is just an example of a high-profile data heist, not a complex issue which brought to public attention long-standing debates on privacy and government intervention in weakening cryptography. As if a technical solution for DLP can fix what is just as much caused by toxic work environments and bad management, as it is made possible due to bad information security practices and processes. As if a DLP solution can just wipe under the carpet all the problems that Snowden raised. Edward Snowden, is he really just a data thief?
Protecting critical data with good technical solutions and processes is still important, as there are many more cases of data theft were the motivations of the attackers are guided by self-interest, much like regular burglary. To again use an analogy, it is one thing to defend your home and family from burglars, it is quite another thing if you consider your family members a threat. Organisations are not the same of course, and the trust levels are lower too. This is the normal societal trust hierarchy, with close family being at the pinnacle, and work colleagues being just a couple rungs below, yet the analogy holds. What solution presents a better value proposition for dealing with a situation of internal family conflict, a hidden camera system or family counselling?
To consider technology in isolation from the normative and the societal is of little use in real-world risk management and information security. Investing in treating employees with respect, better pay and working conditions, better corporate governance, ethical business practices and more tolerance for atypical but original thinkers will probably provide a better return on investment than clunky systems which with enough determination – due to the need to balance security and usability – can usually be circumvented by determined attackers. For every Snowden there are hundred unimaginative employees who might lack the initiative for whistleblowing but also lack the originality and proclivity for independent, analytical thinking that are critical requirements for an organisation’s survival. Snowden’s skills and aptitude are exactly those that has the tech giants tripping over themselves to find, poach and retain as valued employees who are vital to the future success of their businesses.
If the best employees feel valued and respected, if the work they do fills them with pride, if independence and critical thinking are encouraged, if the business practices are ethical, then your best employees will also be the organisation’s best allies. Leaving you time to focus on defences against burglars, criminals and other insider and outsider threats that pose the risk of a high-impact security incident.
Ivan Niccolai is Senior Analyst at KuppingerCole with focus on risk management and identity & access management. He has a deep technical understanding and lengthy experience in security consulting across three continents in a wide number of industry verticals, as well as in government and education. He has a Master degree in Information Technology Management from the University of Wollongong and worked in the IT industry for over 15 years.