Lessons from the Snowden Leaks: An Exclusive Q&A with Former NSA Chief Chris Inglis
Thirteen years after Edward Snowden’s explosive leaks, Chris Inglis—the top civilian leader at the National Security Agency during the crisis—opens up about the NSA’s missteps, the lasting impact on cybersecurity, and what today’s CISOs can learn from the affair. In this candid Q&A, Inglis shares his regrets, discusses how to spot insider threats, navigates the delicate balance of media disclosures, and explains the critical concept of “enculturation.” Whether you’re a security professional or simply interested in corporate governance, his reflections offer timeless lessons.
- What were the NSA’s biggest mistakes during the Snowden affair?
- How should CISOs approach insider threat detection today?
- What role did media disclosures play in the controversy?
- Can you explain “enculturation” and why it matters for security programs?
- How has your perspective on security and privacy evolved over 13 years?
- What specific advice do you have for CISOs rebuilding trust after a breach?
What were the NSA’s biggest mistakes during the Snowden affair?
Chris Inglis points to a critical failure in communication and oversight. The NSA, he explains, operated under the assumption that its methods were both legal and effective, but it did not adequately explain those methods to the public or even to internal watchdogs. “We were too insular,” Inglis reflects. “We thought our mission and our safeguards were self-evident, but they weren’t.” This lack of transparency allowed a single contractor to exploit gaps in both technical monitoring and cultural trust. Inglis also regrets not pushing harder for a more robust insider threat program that would have flagged Snowden’s unusual data access patterns earlier. The lesson for any organization: assuming that your team understands the “why” behind security policies is not enough—you must verify and communicate constantly.
How should CISOs approach insider threat detection today?
Inglis advises that detection must go beyond technology. “You can’t just rely on logs and alerts,” he says. “You need a cultural layer—what I call enculturation.” He recommends that CISOs invest in behavioral analytics that track anomalous actions, but also foster an environment where employees feel comfortable reporting concerns. His key lesson from Snowden: the biggest red flags are often subtle—like accessing databases unrelated to one’s role, or downloading large volumes of data at odd hours. Inglis also stresses the importance of zero-trust architecture, where no user is automatically trusted, and all access is continuously verified. “If we had that in place, Snowden’s activities would have been blocked or at least alarmed much sooner,” he adds.
What role did media disclosures play in the controversy?
Inglis acknowledges that the NSA initially mishandled media inquiries, often remaining silent or providing defensive statements. He believes a more proactive media strategy—sharing declassified details of legitimate programs—could have reduced the impact of Snowden’s leaks. “When the media smelled a scandal, we gave them silence, which they filled with speculation,” he says. His advice for CISOs today: establish a clear, pre-approved process for handling sensitive disclosures. Have a designated spokesperson trained to balance transparency with operational security. He also warns against “shooting the messenger”—instead, treat journalists as part of the ecosystem where trust must be earned. “You can’t control the narrative if you’re not part of the conversation,” he notes.
Can you explain “enculturation” and why it matters for security programs?
“Enculturation” is a term Inglis uses to describe the process of embedding security values and awareness into an organization’s daily culture—not as a one-time training, but as a continuous, lived experience. It means teaching employees not just what the rules are, but why they exist and how they protect both the organization and the individual. Inglis contrasts this with mere “compliance,” which he says breeds resentment and workarounds. “When people understand the mission and their role in it, they become guardians, not just gatekeepers,” he explains. For CISOs, enculturation includes open channels for reporting concerns without fear, regular storytelling about real-world incidents, and leadership that visibly prioritizes security. He believes that if the NSA had stronger enculturation, Snowden might have raised his concerns internally instead of leaking secrets.
How has your perspective on security and privacy evolved over 13 years?
Inglis says his biggest shift is from a “security at all costs” mindset to one that balances security, privacy, and civil liberties. He now argues that surveillance programs must have clear legal frameworks and independent oversight to maintain public trust. “Snowden forced us to realize that security without legitimacy is unsustainable,” he reflects. He also acknowledges that the cat-and-mouse game with adversaries has become more complex, with state-sponsored actors using stolen data for influence operations. His key takeaway for CISOs: never assume that past success guarantees future safety. He recommends periodic red-team exercises and external audits to challenge assumptions. “The best defense is a culture that questions itself continuously,” he concludes.
What specific advice do you have for CISOs rebuilding trust after a breach?
Inglis offers three concrete steps. First, own the mistake immediately—delay erodes trust faster than the breach itself. Second, communicate a clear, transparent timeline of what happened, what data was affected, and what steps are being taken. Third, involve employees in the recovery process, not just as a PR move, but as genuine partners. “The people closest to the problem often have the best solutions,” he says. He also warns against overpromising: “Don’t say ‘this will never happen again.’ Instead say ‘here’s how we’re making it harder for it to happen again.’” Finally, he recommends establishing a permanent oversight committee that includes members from legal, HR, and even line staff to review security policies regularly. “Trust is rebuilt one honest conversation at a time,” he adds.