On Feb. 7, 1993, I was serving on the security detail of then-Director of Central Intelligence nominee James Woolsey. In response to a question in his confirmation hearing related to the perceived demise of the Soviet Union, Director Woolsey answered: “We have slain the dragon, but we live now in a jungle filled with a bewildering variety of poisonous snakes.”
What I thought was an interesting comment in 1993 became the challenge of my daily life as Deputy Director and Director of Security at the CIA from 2016 to 2020. The problem today for both government and industry is that the snakes have multiplied, and the dragons have returned with a vengeance. With the recent uptick in ransomware attacks, companies will look to invest more in cybersecurity tools and proper updating and maintenance of information systems. However, organizations should not lose sight of the larger picture.
The attack vectors for both nation-state and individual actors have multiplied and, for security experts in both the government and industry, the challenges often seem daunting. Time and time again, we have seen that adversaries will seek out the weakest part of any program to gain access to classified, sensitive or proprietary information. As such, organizations cannot afford to simply move existing security resources to address the problem du jour.
While daunting, these complex challenges can be mitigated through a sustained and comprehensive security approach. A security-first culture must start from the top; key to the success of any program is the support and backing of boards, CEOs and other members of the C-suite. At the same time, senior leadership must reinforce the commitment and responsibility to protect critical organizational assets across the entire workforce.
There is no doubt that a strong information security program is critical to any comprehensive security program, but in and of itself, information security does not constitute a comprehensive approach. Organizations should consider a balanced, thorough, multi-layered and appropriately resourced approach.
- Personnel security vetting: While most organizations appropriately vet initial applicants, very few will go back and check-in with personnel over time. Adversaries are known to exploit employees when they may be at a personal or emotional low point – employees are humans after all.
- Employee assistance programs: Organizations invest a lot into their employees, and they rightfully expect a lot from their employees. However, employees are human and, through the course of their careers with any organization, they are going to experience the full range of the human experience, all the positives and all the negatives. When employees need assistance, organizations need to have the infrastructure in place, such as employee assistance programs, not only to help retain great talent, but also to help protect the organization from internal threats.
- Comprehensive physical security systems: Physical security systems not only play a critical role in keeping out unauthorized visitors, but also in understanding which authorized visitors are in a building and when. They also can be a critical force multiplier in protecting sensitive information to only those who need access.
- Information system and user access monitoring: Understanding who is on an information system and what they are doing on it is important for a strong insider threat program, as well as for broader aspects of security. This is particularly critical in an environment where business requirements demand global connectivity.
- Training and awareness: Personnel need to understand their role in the protection of critical organizational information — and not only when they are onboarded to a new organization, but throughout their tenures, through frequent reminders and annual training. Personnel need to continuously be reminded and educated that they remain a target to threat actors and be provided with resources and tools to maintain their awareness and diligence.
- Strong internal collaboration among senior leadership, security, HR and legal teams: It is critical for senior leads within an organization who may detect “blips” in the behavior or conduct of individual personnel be engaged in ongoing dialogue and collaboration. The ability to meet, discuss and bring the collective data together in a manner that respects and maintains the privacy and civil liberties of employees is incredibly important.
- Emergency preparation and planning: Organizations need to understand that emergencies and crises are going to happen — whether it be a ransomware attack, a disgruntled employee who wants to do the organization reputational harm and/or gain financial benefit from providing access to critical information, a disgruntled employee turned active shooter, a natural disaster, etc. Tabletop exercises are no longer “exercises”; they are a critical opportunity for an organization to plan for the inevitable, understand senior leaders’ individual roles and identify gaps in preparation before the crisis happens.