Thirteen years after Edward Snowden’s explosive leaks, Chris Inglis—the former top civilian at the NSA—opens up about the agency’s missteps, the lasting impact on cybersecurity, and what today’s CISOs can learn from that watershed moment. In this Q&A, Inglis reflects on internal failures, the art of managing media disclosures, and why “enculturation” is the hidden key to preventing the next Snowden.
What were the biggest mistakes the NSA made before and during the Snowden leaks?
Looking back, Inglis identifies two critical errors. First, the NSA failed to create an environment where employees felt safe raising concerns internally. Snowden himself tried to flag issues through official channels, but the culture discouraged dissent. Second, the agency underestimated the power of human factors—trusting technical controls while neglecting behavioral warning signs. Inglis notes that if the NSA had fostered a more open culture where whistleblowers could be heard without fear of reprisal, the leaks might have been prevented or contained much earlier. The lesson for CISOs is clear: a security culture that silences skeptics is a breeding ground for insider threats.
How can CISOs better spot potential insider threats today?
Inglis advises moving beyond technical red flags (unusual data access, large downloads) and focusing on behavioral patterns. He calls this “tuning in to the human signals.” Watch for disgruntled employees who repeatedly challenge authority, especially those with access to sensitive data who feel their ethical concerns are ignored. Inglis emphasizes that insider threat detection isn’t just about algorithms—it’s about creating an environment where employees can voice dissatisfaction constructively. He suggests regular “culture audits” and anonymous reporting mechanisms. The goal is not to spy on everyone, but to identify the small minority whose frustration might turn into a breach. Trust but verify—and listen.
What lessons did Inglis learn about handling media disclosures during a crisis?
The Snowden leaks thrust the NSA into an unprecedented media firestorm. Inglis admits the agency was ill-prepared for the speed with which classified documents were published. His key takeaway: do not stonewall the press. Instead, proactively provide context and correct misinformation before it solidifies. He recommends every CISO have a media-preparedness plan, including designated spokespeople and pre-approved talking points. More important, be transparent about what you can and cannot share. Inglis stresses that silence is often interpreted as guilt. In the age of instant leaks, controlling the narrative means engaging early, openly, and consistently—even when you wish you could stay quiet.
What does “enculturation” mean and why is it crucial for security leaders?
“Enculturation,” as Inglis defines it, is the process of embedding security values so deeply that every employee naturally prioritizes them. It goes beyond training or policies—it’s about creating a shared identity where protecting data becomes part of the organizational DNA. Inglis believes the NSA failed at enculturation because it relied too much on top-down directives and classified walls. For CISOs, he recommends starting with leadership example: when executives openly discuss security trade-offs and model good behavior, the culture strengthens. Enculturation also means celebrating ethical flags, not punishing them. If an employee feels that reporting a vulnerability is as normal as logging in, the organization is safer.
How has the security landscape changed 13 years after Snowden?
Inglis observes a double-edged evolution. On the positive side, insider threat programs are now widespread, and the CISO role has gained boardroom credibility. Yet many organizations still treat security as a compliance checkbox rather than a cultural priority. Snowden also triggered a wave of encryption and anonymity tools, making data harder to protect even for legitimate security teams. Inglis warns that the technical arms race has intensified: attackers use AI, while defenders lag. The biggest change, he says, is that the public now expects transparency—a demand that pressures both private and public sectors. The NSA’s mistakes serve as a permanent reminder that culture, not just firewalls, determines security success.
What personal regrets does Inglis have about his leadership during the Snowden affair?
Inglis is frank about his regrets. He wishes he had pushed harder for a culture that allowed ethical dissidents to be heard. He acknowledges that he trusted the existing whistleblower systems too much—systems that clearly failed. Another regret is not personally engaging with Snowden before he left the country. Inglis believes that a direct conversation might have revealed the depth of Snowden’s disillusionment. He also regrets the NSA’s reactive media strategy; by the time they spoke publicly, the narrative was set. These regrets shape his current advice to CISOs: be proactive, be human, and never assume your culture is strong until you test it by listening to the critics inside your own house.