How the Snowden Effect Is Paralyzing CIOs

Whether you describe Edward Snowden as a hero or a criminal, theres no denying the impact that this self-described computer wizard is having on IT leaders. After all, if even the NSA can fall victim to a tech-savvy millennial, how can they defend their data?

In the aftermath of the great data heist by Edward Snowden, the now-infamous computer specialist who stole top secret information from the National Security Agency and leaked it to The Guardian earlier this summer, CIOs are feeling a little helpless.

"People are saying that if it happens to the NSA, which must have incredible tools to prevent people from leaking data yet still leaks on a grand scale, we better be really careful," says Jeff Rubin, vice president of strategy and business development at Beachhead, a mobile security company.

There's little doubt CIOs are reeling from the Snowden effect. A New Breed of Rogue Employee Roams the Network

Snowden represents a new kind of rogue employee or contractor: a tech-savvy millennial armed with personal computers who can spirit away highly sensitive data. CIOs will have to deal with this threat sooner rather than later. The old thinking of relying on encryption to safeguard data just won't suffice in today's corporate computing environment.

The 29-year-old Snowden hatched a plan to swipe data from arguably one of the safest organizations on the planet. His age is significant because he's symbolic of today's millennial, a 20-something tech worker flooding corporations across the country. Millennials will make up the largest segment of the workforce by 2015, according to the U.S. Bureau of Labor Statistics.

[ Related: CIOs Need to Push BYOD Policies to Lure Millennials ]

Two-thirds of millennials assess their technology acumen as "cutting edge" or "upper tier," according to CompTIA. Snowden, who once described himself as a "computer wizard," not only gained access to sensitive data, he communicated with the media using encrypted email under the codename Verax.

For CIOs, the warning is clear: Your next rogue employee may be good at finding ways around your best-laid security plans.

Social Engineering and Tech Savvy a Dangerous Combo

While there's no questioning Snowden's technical chops-after all, he worked at contractor Booz Allen Hamilton as a computer specialist-Rubin doubts Snowden relied on technical skills alone to do what he did. Rather, Rubin believes Snowden employed social engineering tactics to gain access to computers and download data to thumb drives and, eventually, his personally owned computers.

"My guess is he went to NSA employees, said [he was there] to work on their computers and needed access to them, and gained their trust," Rubin says. "He may have even gone as far as telling them, 'You may get a notice on your screen that there's some sort of intrusion, but that's just me so don't be alarmed.'"

The idea that Snowden probably used his personal computers and thumb drives should also be alarming to CIOs, especially in the age of BYOD, says Rubin. With BYOD, mobility and cloud storage services such as Dropbox now common, the chances of corporate data leaking out is higher than ever.

In fact, one of Beachhead's customers recently reversed its BYOD policy because of the security risks. If an employee now wants an iPad, for instance, the company will buy and manage it instead of allowing the iPad to be a part of a BYOD program. They're saying, We don't feel we have our act together to really allow this," Rubin says.

Encryption Is Not Enough

Another lesson CIOs can learn from Snowden is the need for multi-layer security, or automatic triggers for wiping data. Many companies rely on encryption to keep their data safe, yet once a rogue employee gains the password, encryption is worthless.

Rubin says the Snowden case highlights the need for triggers that eliminate data beyond a geo-fence or after a certain number of incorrect logins or amount of time.

Also, companies might want to look into multi-factor authentication and data access controls to prevent rogue workers like Snowden from seeing data in the first place, Rubin says.

Given Snowden's ability to steal from the NSA, coupled with the rise of both the tech-savvy millennial and BYOD, CIOs are sensing a loss of control over corporate data.

"It's happening too fast," says Rubin. "I think companies are a little paralyzed."

Tom Kaneshige covers Apple, BYOD and Consumerization of IT forÃ'Â Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline, Facebook, Google + andÃ'Â LinkedIn. Email Tom at

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags nsaU.S. Bureau of Labor StatisticsencryptionTechnology TopicsMillennialSnowdenIT managementCIOconsumerization of ITBYODTechnology Topics | Securitysecurity

More about AppleCompTIADropboxFacebookGoogleNational Security AgencyNSAStrategy&

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place