Think the Snowden problem is limited to secret government groups as the NSA, and can’t happen to you? Then you have not learned the many lessons that apply to every organization. Think again!
The Snowden problem resulted in catastrophic reputation and intellectual property damage to his employer. Either this employee was a brilliant hire who lost faith and trust in his own organization, or he was a terrible hire who had access to far too much. Both of those possibilities can occur in any organization.
On examining the details of this case, four important lessons can be learned:
- Even great recruiting practices are not enough to avoid a potential Snowden problem.
- The tools which manage how much data an employee can accumulate and take with them need more emphasis and investment. They are as important as the common policies which determine what data an employee can access to do their job, if you want to reduce the impact and potential of a Snowden problem.
- If you have team mates with narrow roles and you don’t help them understand the master plan, they will sub-optimize, or worse become a Snowden problem.
- If your organization does not create a credible trusted mechanism for resolving mistrust or concerns, then potential ethical or operational problems go unaddressed. Worse, great employees may leave with the wrong impression about your organization, or you create your own Snowden problem.
Let me explain.
Great recruiting is not enough
Snowden has a sparse resume. As a US Army special forces recruit, he did not complete his training. He then worked as a NSA security guard before he joined the CIA to work on IT security. From there he worked his way into what he described as a $200,000 a year job with the NSA, followed by a stint as a consultant with Booz Allen Hamilton. While at Booz he served as a consultant to the NSA.
His educational history is questionable. He never completed high school, and took courses at a Community College for credits towards the high school diploma, but he never finished. He claims he took courses at the University of Maryland and University of Liverpool, but show no record of completion anywhere. Maybe he was a computer whiz without official credentials, but his career progressed on building blocks which as a whole don’t appear to support the role, responsibility or access he had.
Snowden worked for three very capable organizations: The NSA, Dell, and Booz Allen Hamilton. It’s fair to say that each of these employers have good recruiting programs that are intended to weed out the Snowden problem, yet each in turn failed. In addition, the private company which does background checks of government employees, USIS, completed their most recent review of Snowden in 2011, which he passed. Snowden got a “Top secret compartmented information” clearance and access to the most sensitive information in the United States.
My friends, who are talented human capital supply chain professionals, tell me that even the best recruiting practices will go so far. At best, they find 95% of the Snowden problem cases. I expect the rigorous guys at Booz Allen to be better than that, but their recruiters said they found that details of his education “did not check out precisely”, yet they hired him. Each of the recruiting organizations in the chain gave credibility to the prior recruiting process used by the earlier employing organizations. They assumed if he was good for the previous guys to hire, then his credentials must be bonafide. This assumption was a serious error which many recruiting processes continue to make today.
In addition to the recruiting checks, the US Government requires employees who will have access to sensitive data go through a rigorous and invasive vetting technique of background checks. That approach is supposed to raise the probability of finding Snowden problem cases, but as shown even those checks are not perfect. If the USIS finds 99.9% of the Snowden problem cases, then the US government, which has over 2 million employed with top secret clearances, still has a potential 2,000 Snowden problem cases out there.
The best recruiting and vetting processes will reduce your potential of a Snowden problem, but will not eliminate it.
Controlling how data is used is as important as who has access
Data access, and determining who should use what data, is an important challenge for every organization. Full access and transparency stimulates more involvement and engagement, but introduces more security risks. So, every organization puts in place policies for data access based on who they can trust and what is needed for that individual to do their work. Legions of software and hardware tools are based on managing access policies, including complex password schemes and managers, and network monitoring devices to make sure the wrong people, including outsiders, do not get access to secure data.
In fact, most of the cybersecurity world is fascinated with the problem of an outsider hacking into an organization secure data. It’s what we hear the most. Wikileaks, and now the Snowden problem, both highlighted the significant cybersecurity challenge of an insider who has credentialed access.
If Snowden or his Wikileaks predecessor did not have massive amounts of privileged data, which they could carry with them as proof, their memory would not be enough to create the scandals it did. The Snowden problem is less about access, and more about how much privileged data the employee could accumulate and take.
With the cloud based storage and other technologies available today, there is very little reason for any employee to accumulate massive amounts of data that can be taken out the door. A process and tools should have been in place to ensure they could not collect and siphon data that could be damaging.
Who has access to an organizations data is a part of the cybersecurity equation, what they can do with the data is equally important. If you don’t control how much data your employees can walk out the door with, then you create a Snowden problem.
No overview, no optimization or trust
We know that to organize work effectively, or to carry out large assignments, tasks must be split. The natural outcome is a team mate who may not see the broader view, and may sub-optimize as a result.
In Snowden’s case, he had unusual access to large swaths of data, but did not have an understanding of the whole. It is possible, in his role, what he was doing might sound illegal, yet not be. This is especially the case if he was not aware of the purpose for which the data is being used, the protections around data collection and who had access to it, and whether there was a legal underpinning for this. Because he lacked a sense of the overall, he assumed wrong doing. He may very well have identified wrong doing, but that issue is moot, since he did not feel he had an internal trusted outlet for voicing his concerns (a point I will get to next).
If your team mate is, by necessity, working on a small part of the problem, and they don’t understand how their part fits into other parts or the whole, they are a potential Snowden problem. We know that the nut and the bolt must be optimized together to get a proper fit. Optimize each individually and you get bolts which don’t fit into their corresponding nuts. The same is true for organizations, even those that need to compartmentalize for security purposes.
Keep your employees in silos and don’t give them an overview, or an outlet for questioning their part, and you create a potential Snowden problem.
Every organization needs a credible trusted mechanism for resolving internal mistrust or concerns
I have worked in several organizations with superb ethics and internal operations controls, and each has implemented formal communications processes for addressing concerns about wrong doing. US government contractors are required to implement “business standard” processes intended to find internal wrong doing, or even in transactions involving customers or suppliers. Effective programs include internal advisors that can be approached by any employee, and external hotlines or other mechanisms to offer anonymity. The point is that mature organizations include a mechanism to ensure that any employee, supplier or customer, who suspects wrong doing, can easily report the potential wrong doing, get it reviewed and fixed if necessary.
The US government has this in place, even including a “whistle blower” law that could be lucrative to those identifying wrong doing that is proven. We agree it’s hard to go to your boss with a concern of the boss doing something wrong given the high incidence of management retaliation, or the potential for a cover up. This is why, most organizations offer an outlet that is not controlled by an employee supervisor. Some companies use anonymous hotlines to their auditor or outside legal counsels.
The Snowden problem? He did not choose any internal or discreet mechanism to voice his concerns, he went public. Snowden either was not aware of the internal mechanisms or he lost faith in the system as a credible way to address his concerns. Both of those situations are deadly sins guaranteed to deliver a Snowden problem.
What you can do to avoid your own Snowden problem
- Check out potential employees thoroughly. Don’t assume their earlier employer did the hard work.
- Make sure your IT policies are focusing on who has access to what data, but controls how they have access, and how much they can accumulate.
- Make sure every team member has sense of and connection to the overarching objectives. They can be so much more productive and contribute to overall optimization.
- Work on internal and external trust and ensure every employee, supplier and customer, know outlets are available (put them in place if they do not exist today) for voicing concerns.
What do you think? Add your views by commenting below!