December 2, 2016
We have just lived through one of the most bruising and exceptional election campaigns in my experience and perhaps the entire history of the United States. Regardless of where you stand politically, one thing stands clear: We witnessed a stark example of what happens when we ignore cyber health, information security and, especially, insider threats.
The October surprise
The 2016 presidential election “October Surprise” came from poor awareness of cybersecurity and insider threat issues.
I don’t have all of the facts; none of us except the FBI do,and we have to take at face value the FBI’s decision that Secretary Hillary Clinton did not commit a felony. Who could have anticipated, however, that confidential emails put out for public display could cause such a media and public opinion storm? We have reached the point where an honest-to-goodness case of an insider threat — whether it was intentional, unintended or blown out of proportion — affected the election of the leader of the free world.
What does it all mean? I’m starting to believe that our political leaders believe they live in a different world, a pre-digital world that simply no longer exists.
Over the past year, I have written about insider threats from many different perspectives. I’ve discussed how public- and private-sector leaders are constantly asking: “Why?” Why should we spend time and resources to put in place a counter insider threat program? The usual arguments include “it’s too complicated,” “it’s an unfunded mandate” or “there’s not enough justification for it.”
To me, however, the most significant objection business leaders raise is that of importance. Too many people feel insider threats are not important enough to expend the resources or energy necessary to build a proper counter-insider threat program.
Is there enough evidence now?
This election cycle was more than enough proof for any rational mind that we live in a digital world with real threats. Whether or not you agree with the FBI’s decision, the situation is clear: We must wake up and face a new day that, if we’re being quite honest, actually dawned several years ago.
Recall that an insider is a threat can be either witting or unwitting. In the absence of a good counter-insider threat program, digital material can show up anywhere after it leaves its creator’s control. By creating any system without proper controls and not following the basic principles of countering insider threats, you and the critical value data you control are vulnerable.
Welcome to Oz
Frank L. Baum created a wonderful story about Dorothy and her dog Toto in “The Wonderful Wizard of Oz.” You all know the story: A cyclone transports Dorothy and Toto to a different world and they attempt to return to their home in Kansas.
Spoiler alert: The whole story turns out to be Dorothy’s dream after being knocked unconscious during a tornado, but to her, the journey was real, as were the lessons she learned along the way.
Today’s leaders tend to discount the warnings, the dramatic events, the embarrassment and the financial issues raised by continually ignoring or side-stepping the difficulties of creating counter-insider threat programs. They continue to believe that yesterday’s security measures will be sufficient in the digital world. Sometimes, leaders don’t take action until something severe happens to themselves or their organization. I am beginning to think that most leaders are out of their depth and uncomfortable with the threats they currently face.
There are significant risks associated with poor cyber health and counter-insider threat practices. Those who ignore this do so at their own peril. As Dorothy succinctly explained it: “Toto, I’ve a feeling we’re not in Kansas anymore.”
“Wake up, Dorothy”
Government, commercial and political leaders all must wake up to the digital age. To ignore the threats is to put yourselves, your organizations and your political lives in jeopardy.
This election cycle has pointed out that many leaders are out of their depth in the digital world; they ignore or refuse to accept vulnerabilities and obvious threats. To those leaders, I urge you: Look around, wake up and grasp that we are no longer in the quiet and comfortable pre-digital era. Understand that the landscape of cybersecurity and insider threats is permanently altered. Ignoring these threats and forgetting the glaring example we all just witnessed will affect many areas within our control, up to and including our national elections.
Above all else, don’t wake up in a dream state and say: “Toto, I’ve a feeling we’re not in Kansas anymore.” Like Kansas, the information threats that threaten to overwhelm us are very real.