Edward Snowden. NPR calls him "a geek." At Axis we call him an "unexpected insider threat that could have been avoided." The industry spends a lot of time talking about breaches and threats in general, and included on most lists of top dangers are "insider threats." But what you don't hear about a lot is what happens when a third party contractor had access to sensitive information that they really didn't need in order to do their job- until now. The leaked NSA records scandal is probably the most black and white "access appropriate to role" example we've seen in a very long time: Edward Snowden, the 29-year-old former CIA technical assistant who has stepped forward to to say he's the source of explosive leaks about government surveillance programs was among "thousands upon thousands" of such analysts hired to manage and sift through "huge amounts of data." ... The Guardian on Monday shared more about the young man who it says was behind last week's leaks concerning National Security Agency programs that sweep up data on phone calls and Internet activity. It paints a portrait of a mediocre student with a GED degree who joined the Army in 2003, but was discharged after breaking his legs in a training accident. Snowden says he later wound up working with the CIA and then a contractor because he's skilled at computer programming. According to the Guardian, "by 2007, the CIA stationed him with diplomatic cover in Geneva, Switzerland. His responsibility for maintaining computer network security meant he had clearance to access a wide array of classified documents." Interestingly, we are currently at the Gartner Security Summit and we just announced the availability of DMsuite Strategic Services at the show. Part of our consulting services includes helping companies set access-appropriate-to-role policies. The reality is, the NSA leaks could have been entirely avoided. For what the contractors were hired for, there was no reason for them to have access to the sensitive information that was exposed. Whether or not you agree with what Snowden allegedly did, the one point everyone should take from this is that a healthy data security strategy should absolutely include managing private data access.