Chris Inglis on Insider Threats, Snowden, and the Power of Behavioral Analytics

When most people picture a cybersecurity discussion, the British Museum probably doesn’t come to mind. Yet, on a recent Tuesday, the historic venue hosted a press roundtable featuring Chris Inglis, former deputy director of the National Security Agency (NSA), alongside representatives from Securonix, a security intelligence platform provider. The topic? The ever-evolving landscape of insider threats—a challenge that continues to plague organizations worldwide.

Inglis, drawing on decades of experience at the NSA and reflecting on the fallout from the Edward Snowden revelations, offered a rare glimpse into how behavioral analytics can help detect and mitigate these risks. His message was clear: traditional security measures are no longer enough.

The Growing Danger of Insider Threats

According to Inglis, the digital age has amplified the potential damage any single insider can cause. “People in possession of computers and network systems today have an opportunity to cause much greater harm in a much faster period of time than they once did,” he said. This shift demands a new approach—one that moves beyond simple vetting and trust.

He argued that organizations can no longer rely solely on perimeter defenses or periodic checkpoints. Instead, they must adopt a real-time understanding of what users are doing with sensitive data. “You have to have some understanding of what’s happening to the data now, in real time,” Inglis emphasized. “That means you have to have data about data—and analytics that can make sense of it.”

Building on this, he stressed that the goal isn’t just to react or track behavior after the fact. “The goal isn’t to react well, or even to track well, it’s to anticipate; to see these things coming and step in before the disaster occurs.”

Behavioral Analytics: The Key to Early Detection

So, how can organizations spot an insider threat before it’s too late? Inglis pointed to detailed user analytics as the linchpin. By monitoring patterns—such as unusual data access, off-hours logins, or excessive downloads—companies can identify anomalies that signal malicious intent or accidental risk.

However, this raises an uncomfortable question: When we start collecting data on employee behavior, are we crossing ethical boundaries? Inglis didn’t shy away from this. “They absolutely do,” he replied when asked if companies have an obligation to be transparent. “You can’t incur on their sense or expectation of privacy without justifying that and having a full conversation about that.”

He noted that the hardest conversation isn’t with the potential “Edward Snowdens” of the world—it’s with the 99.99% of employees who are trustworthy. “The internal population, as much as the external population, has a right to know that they are applying their time and talent to something that is properly controlled.”

Striking a Balance Between Security and Privacy

This brings us to a central tension in modern cybersecurity: how do you protect sensitive data without alienating your workforce? Inglis advocates for raising the ethical threshold. “Let’s really get at the things that are security relevant, because we are imposing on the privacy of individuals, most of whom are simply trying to make a positive difference.”

He warned against treating all employees as potential threats. “In our pursuit of the 1%, or the one in a million in Snowden’s case, we can’t abuse the 99%. We have to keep both entities in mind.” This means designing monitoring programs that encourage inspired work rather than squeezing it out.

Distinguishing Malicious Insiders from Accidental Risks

Another critical issue Inglis addressed is the difference between a malicious insider—someone who intentionally causes harm—and a user who poses a risk simply because they don’t know any better. “Well, not enough, clearly,” he argued when asked if companies fully understand this distinction. “Are they starting to get it? Yes—they are increasingly getting it.”

This distinction matters because the response differs. A malicious actor may require termination or legal action, while an accidental risk might benefit from training or policy changes. By leveraging behavioral analytics, organizations can tailor their responses and avoid unnecessary friction with well-meaning employees.

Lessons from the Snowden Case

The Snowden revelations remain a watershed moment for insider threat management. Inglis, who was at the NSA during that period, noted that the case highlighted systemic failures in monitoring and trust. Snowden was a privileged user with access to vast amounts of classified data—and he exploited that trust for years before detection.

Inglis’s takeaway? Organizations must continuously verify trust, not just grant it once. “You can no longer simply defend perimeters or checkpoints and assume that any mischief inside will be caught at the margins.” Real-time analytics, combined with transparent policies, offer a path forward.

For more insights on managing insider risks, check out our guide on insider threat prevention strategies and learn how to implement effective behavioral analytics tools in your organization.

Conclusion: A Call for Ethical Vigilance

As cybersecurity threats evolve, so must our defenses. Chris Inglis’s roundtable discussion underscores the importance of using insider threats as a lens to rethink security—not just as a technical challenge, but as an ethical one. By combining robust analytics with respect for employee privacy, companies can protect their data without sacrificing trust.

Ultimately, the goal is not to catch every bad actor after the fact, but to create an environment where threats are anticipated and neutralized—while the 99% continue to do their best work.

Why Organizations Should Aim for a Risk-Adverse Culture, Not Just Compliance

For many organizations, security training boils down to a checkbox exercise: prove that every employee completed the mandatory awareness course. However, according to John Curran, principal consultant at FTR Solutions and co-founder of Intrinsic Aware, this approach misses the mark entirely. Instead, companies should focus on cultivating a risk-adverse culture — one where security is embedded in everyday behavior, not just a one-time lesson.

Curran argues that a risk-adverse culture goes beyond policies and procedures. It requires shifting away from a blame-oriented mindset, where employees fear reporting mistakes, toward an environment that encourages open dialogue about security incidents. “Unfortunately, many organizations have created a blame culture, and an environment where people don’t think of the information security function as good people to talk to when something bad happens,” Curran explained during a recent presentation.

The Pitfalls of a Blame Culture in Cybersecurity

When employees are afraid to speak up, the entire security posture suffers. A blame culture discourages incident reporting, leaving vulnerabilities unaddressed. Statistics show that nearly half of all security breaches stem from human error — including phishing attacks and lost USB drives. Yet, despite this reality, organizations invest only 3-5% of their security budgets in awareness and training. This underinvestment, Curran says, is a critical oversight.

Building on this, he emphasizes that having policies in place is not the same as engaging staff. “All too often, organizations make the mistake of thinking that simply having policies and procedures in place for user awareness is sufficient. This is not the same thing as engaging your staff and ensuring they understand the company’s security needs.”

How to Foster a Risk-Adverse Culture Through Training

Creating a risk-adverse culture requires more than just annual training sessions. Curran outlines several goals for effective security awareness programs:

• Employees should clearly understand what is expected of them.
• They must learn appropriate skills and behaviors for different situations.
• Ultimately, staff should feel willing and able to discuss or report suspected incidents. “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core,” Curran notes.

To achieve these goals, organizations need to move beyond passive learning. Curran advises using interactive methods such as testing, immediate feedback, and personalized learning pathways. For example, creating security learning pathways tailored to different roles can help employees retain information better. Additionally, providing rationale at the end of training modules reinforces why security matters.

Practical Tips for Engaging Security Training

Curran offers several actionable strategies for designing awareness courses that stick:

• Be careful with branding when creating training materials — keep them professional yet relatable.
• Create learning security pathways that guide employees through progressive topics.
• Offer immediate feedback during the test process to reinforce correct answers.
• Provide rationale at the end of each module to explain the “why” behind security rules.
• Trace performance, progress, and levels of engagement to identify areas for improvement.

He also references the Chimp Paradox Theory to explain why changing behavior is difficult. “Our goal in the awareness process is to keep the monkey quiet while we are talking to the human and push as much of that into the computer as possible,” Curran said. In other words, training should aim to automate good security habits so they become second nature.

The Role of Incident Reporting in a Risk-Adverse Culture

One of the most critical components of a risk-adverse culture is encouraging incident reporting. When employees feel safe admitting mistakes, organizations can respond faster and prevent larger breaches. Curran stresses that a blame-free environment is essential for stakeholder engagement. “People shouldn’t be afraid of reporting incidents,” he says. “It’s not conducive to stakeholder engagement.”

To build this trust, companies should celebrate reporting rather than punishing errors. For more insights on creating a positive security culture, check out our guide on building a security-first workplace.

Conclusion: Moving Beyond Compliance

In summary, organizations must shift their focus from mere compliance to cultivating a risk-adverse culture. This means investing in ongoing, engaging training that empowers employees to act as the first line of defense. By addressing the root causes of human error and fostering open communication, companies can significantly reduce their risk exposure. As Curran aptly puts it, “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core.”

Ready to transform your security awareness program? Explore our best practices for security awareness training to get started.

Combined Mitigation for Cyber and Physical Attacks: Lessons from a Security Veteran

In today’s interconnected world, the line between digital and physical threats has blurred. Security professionals now face a daunting challenge: how to defend against combined mitigation strategies that target both realms simultaneously. At the (ISC)² Congress EMEA in Dublin, Barrie Millett, a seasoned expert with military and corporate resilience experience, shared invaluable insights on this pressing issue.

Why Combined Mitigation Matters for Modern Security

Millett, who has advised boards at E.ON and General Electric, now leads Cyber Rescue Alliance, focusing on critical national infrastructures. His core message is clear: organizations cannot treat cyber and physical security as separate entities. “You can’t be effective in silos,” he emphasized, stressing the need for a unified team approach.

This perspective is rooted in his physical security background. The same principles—constant testing, imaginative threat modeling, and cross-team collaboration—apply equally to cybersecurity. By adopting a combined mitigation framework, businesses can better anticipate and respond to hybrid attacks that exploit both digital vulnerabilities and physical weaknesses.

Learning from the Physical World to Strengthen Cyber Defense

Millett drew a direct parallel between natural disaster preparedness and cyber incident response. He cited Hurricane Sandy as a prime example of effective combined mitigation: teams worked together, moved people out of harm’s way, and tested their plans relentlessly. “Awful lessons will always be learned along the way,” he noted, “but the best possible chance for success is by working together.”

The Power of Testing and Imagination

One of Millett’s key recommendations is to “always think the unthinkable.” Security leaders must imagine how threats can morph and evolve. He warned that many CEOs are shocked to discover their networks have been compromised, often because they lack a clear understanding of what’s critical, what’s outsourced, and how to access vital information during a crisis.

To address this, Millett advocates for rigorous testing of all security plans. “Test, test, and test,” he insisted, noting that incomplete planning severely limits response capabilities and drives up costs. This approach ensures that combined mitigation strategies are not just theoretical but actionable under pressure.

The Convergence of State Actors, Criminals, and Terrorists

Perhaps Millett’s most alarming observation was the potential for threat actors to merge their methodologies. “My biggest concern is when the methodologies used by state actors and criminals morph into terrorist organizations,” he said. This convergence means that fiction is now reality—yet many organizations continue to ignore the signs.

He urged security teams to work closely with law enforcement, speak their language, and understand their command structures. By bridging the gap between private and public sectors, organizations can create a unified front against sophisticated adversaries. This collaborative spirit is essential for effective combined mitigation of cyber and physical attacks.

Building a Resilient Organization from the Ground Up

Millett emphasized that resilience is not a one-time project but an ongoing process. Leaders must engage their teams as individuals, understand their challenges, and empower them to contribute. “Our people are bright, and we don’t utilize their capabilities enough,” he remarked.

He also stressed the importance of connecting government and industry thinking, resources, and activities. “The physical and cyber worlds are connected—that’s a reality,” he concluded. “The price of failing to connect them is too great.” By embracing a holistic approach to security, organizations can not only survive but thrive in an increasingly volatile threat landscape.

For more insights on building security resilience, explore our guide on cyber-physical security strategies. Additionally, learn how to protect critical infrastructure from emerging threats.