The Most Complex of Security Risks
The case of the compromise of a video to Wikileaks and unconfirmed claims of compromised U.S. State Department cables by an Army Intelligence analyst stationed in Iraq from classified government networks has been widely reported and commented upon, highlighting numerous security, ethical, moral, and legal lapses. There is no doubt that the military and government organizations involved have been conducting similar, less public reviews and official investigations are continuing. As a case study for security risks, this incident could easily generate a laundry list of issues to be examined as well as an equally long list of lessons learned. Although many of the details may never be fully disclosed due to the sensitivity of national security, many of the issues are fairly obvious and well known to security professionals and have been highlighted in numerous case studies. Similarly, most of the issues should have been addressed in policies, procedures, and controls in most business and government environments. The elephant in the room that many would prefer not to discuss and that is often overshadowed by discussion of technologies and policies are the people: the most complex of security risks.
What this case boils down to is a trusted insider going rogue. Most security professionals will gladly shy away from this discussion because it can be an extremely complex and difficult risk to assess and control, often taking a rapid nose dive into circular debates and proverbial conundrums. Again, the obvious background and security checks, training and testing, performance reviews, compartmentalization, and oversight are not the point; experienced security professionals realize that while these measures will detect most actual and potential risks, an individual can still betray the trust given to them for a host of various motivations.
Yet, we likely find ourselves in positions where we must trust our employees with sensitive information and access. So what can we do? The short answer is that the most complex security risk: the people, can be mitigated by the most complex of safeguards: the people.
Endless studies that have been published on this topic are often ignored or pushed aside for more pressing issues. I do not suggest a Gestapo-like environment. Instead, I suggest that by creating an environment and organization that is open, that knows each others’ duties and responsibilities, develops trusted relationships based on time and experiences, is encouraged to communicate professionally and personally, and has a clear and open channel for escalating concerns provides not only a better business environment, but one that is inherently more secure. Such an organization will quickly establish often unique ‘norms’, a personality and culture that when disrupted internally by one of the individuals or by an outside factor will stick out like a flashing red light and siren to anyone paying attention. Likewise, individuals in this type of environment will be paying attention. It is the restricted, impersonal and disconnected people and environments that are breeding grounds for discontent and betrayal.
When reviewing this and similar cases, in addition to the more obvious technology and policy failures, put the failure of the people on your list to assess and apply lessons learned.