13 Years After Snowden: Ex-NSA Chief Chris Inglis on Regrets, Insider Threats, and Cultural Failures
Ex-NSA chief Chris Inglis reflects on Snowden leaks, admitting cultural failures and offering lessons on insider threats, media disclosures, and enculturation for CISOs.
Thirteen years have passed since Edward Snowden's explosive disclosures about the National Security Agency’s surveillance programs reshaped global debates on privacy, security, and government overreach. At the center of that storm was Chris Inglis, then the top civilian at the NSA. Now, in rare candid interviews, Inglis reflects on what went wrong, the agency's missteps, and the enduring lessons for today's chief information security officers (CISOs). His insights offer a rare look inside one of the most consequential intelligence leaks in history—and a blueprint for preventing similar catastrophes.
Regrets and Reflections on the Snowden Affair
Inglis has openly acknowledged that the NSA’s failure to prevent the leak was not just a technical lapse but a systemic cultural problem. “We missed the signals because we weren't looking for them in the right way,” he said in a recent discussion. His regret centers not only on the breach itself but on how the agency responded to it. In the immediate aftermath, the NSA's instinct was to circle the wagons—a move Inglis now believes backfired. Instead of controlling the narrative, the agency allowed the story to be shaped by outsiders, eroding public trust for years to come.
One of Inglis’s most pointed reflections is on the concept of “enculturation”—the process by which employees absorb an organization’s values and norms. At the NSA, he argues, the culture was too insular. Employees were steeped in a mindset of “we are the guardians,” which made it difficult for them to question authority or voice concerns. That same culture, he says, also made the agency blind to the possibility that a trusted insider like Snowden could become a threat.
Mistakes Made: What the NSA Got Wrong
Inglis catalogues several key errors. First, the NSA failed to implement mechanisms to detect abnormal behavior—such as an employee accessing vast amounts of data outside their job function. Second, there was no effective “separation of duties” for system administrators; Snowden’s role gave him broad access with minimal oversight. Third, the agency’s response after the leak was slow and secretive, which allowed the media to dominate the narrative.
But perhaps the most damaging mistake, according to Inglis, was the lack of a robust whistleblower program. “If people feel they cannot raise concerns internally, they will take them outside,” he said. The NSA’s culture discouraged dissent, pushing individuals like Snowden to external channels. Inglis now advocates for clearer ethical guidelines and anonymous reporting systems to prevent future leaks before they escalate.
Lessons for CISOs: Spotting Threats Before They Explode
Inglis’s reflections are not just historical—they offer a practical playbook for security leaders today. He emphasizes that insider threats cannot be stopped by technology alone. “You need to understand the person, not just the packet,” he warns. CISOs should focus on three areas: behavioral analytics, media disclosure strategies, and cultural reinforcement.
Spotting Insider Threats
Inglis recommends that organizations deploy systems that flag anomalies in user behavior—such as excessive data downloads, after-hours access, or attempts to bypass security controls. But beyond tools, he argues for a human-centric approach. Managers should be trained to notice changes in employee demeanor, disengagement, or grievances. “The technical signals are often the last ones to appear,” he notes. By the time a suspicious download occurs, the intent may already be set.
Managing Media Disclosures
When a leak does occur, Inglis advises against going silent. He points to the NSA’s own failure to engage proactively with journalists. Instead, CISOs should have a pre-established media communication plan that prioritizes transparency. “Control the narrative by telling your own story, even if it’s uncomfortable,” he says. This means preparing fact-based statements, cooperating with regulators, and avoiding defensiveness. The goal is to preserve trust while addressing the breach responsibly.
Enculturation: Building a Culture of Security
The core of Inglis’s message is “enculturation”—instilling security awareness so deeply that it becomes second nature. He urges CISOs to move beyond compliance checklists and foster a culture where every employee feels responsible for protecting data. This involves regular, engaging training sessions, open forums for questions, and visible leadership commitment. “You can’t just tell people to be secure; you have to show them why it matters to them personally,” Inglis explains. A culture of trust and accountability is the most effective defense against insider threats.
Conclusion: A Decade Later, Still Relevant
Thirteen years on, the Snowden affair continues to shape the cybersecurity landscape. Chris Inglis’s willingness to reflect on his own regrets offers invaluable lessons for today’s leaders. The mistakes at the NSA—cultural blind spots, inadequate oversight, and poor crisis communication—are not unique to intelligence agencies. Any organization with sensitive data can learn from them. For CISOs, the takeaway is clear: prevent insider threats by building a culture that encourages ethical behavior, detect them early with behavioral monitoring, and respond with transparency when things go wrong. In the end, security is as much about people as it is about technology.