LESSONS
LEARNED FROM THE OPM DATA BREACH
July
16, 2015
Information
security is a lot like an umbrella; the need is not apparent until it
starts pouring. As malicious Internet activity increasingly
threatens organizations all over the world, it is becoming more
necessary that business leaders alter their perception of what an
effective information security program should be. The most recent
data breach of the Office of Personnel Management (OPM), which
exposed sensitive data of over 20 million people, clearly highlights
valuable lessons in information security that we cannot afford to
ignore.
Don't
ignore the signs
“This
has been going on for years, and it's inexcusable.”
-Rep.
Jason Chaffetz, Chairman, House Oversight & Government Reform
Committee
The
Inspector General (IG) for OPM is responsible for annually reviewing
the agency's compliance with Federal Information Security Management
Act (FISMA) standards. The House Oversight Hearing on the OPM Data
Breach detailed many of the findings made by the Inspector General in
recent years:
- FY 2007, the IG rated OPM's data security as “a material weakness” due to a lack of IT policies and procedures to safeguard information
- FY 2009, the IG expanded “material weakness” to include overall agency information security governance programs, which incorporated the information management structure, all resulting from a lack of necessary leadership, policy and guidance
- FY 2010, the IG states “we continue to find the [OPM] information security program insufficient”
- FY 2011, the IG again states “we continue to believe the information security governance represents a material weakness of the IT security program”
- FY 2012, the IG reported that the Office of the Chief Information Officer (CIO) “continued to operate with a decentralized structure that did not have the authority or resources available to adequately implement new policies”, and highlighted “numerous information security incidents”
- FY 2013, the IG finds that “OPM's decentralized governance structure continues to result in many instances of non-compliance with FISMA requirements”
- FY 2014, the IG reports that “11 major OPM information systems are operating without valid authorization. This represents a material weakness in the internal control structure of OPM's IT security program”
The
Inspector General's reports further elaborate upon the gross
negligence responsible for the data breach earlier this year, even
after eight years of scathing reports. This is a prime example of
how ignoring the signs can have devastating consequences, especially
when lack of leadership and guidance are principally responsible.
Be
proactive,
not reactive
Following
the OPM data breach, the White House announced a 30-day initiative
that they're calling a “cybersecurity sprint”, which is designed
to address the most critical vulnerabilities across the Federal
government's agencies.[1]
Gregory
Wilshusen, Director of Information Security Issues at the U.S.
Government Accountability Office, responded discordantly to the White
House's effort by saying, “It's
not a sprint -- it's a marathon." He further stated that there
needs to be a fundamental shift in daily operations that places more
emphasis on security, to include the continuous monitoring and
assessment of controls.[1]
A
truly effective security program is not merely reactive, but instead
attempts to detect and prevent threats before they can exploit
vulnerabilities. Companies should invest in their security programs
as early as possible so that they have time to grow and mature along
with business needs and capabilities. This requires leaders to find
the right people, develop the right processes, policies and
procedures, and to implement the appropriate technology before
a devastating attack occurs.
There
is no single point of failure
Katherine
Archuleta, Director of OPM, resigned on Friday, July 10 as a result
of the attacks that took place between March and April 2015. Her
resignation was called for by many high-ranking government officials,
to include President Obama.[2]
“I
don't think we can expect that a change of a single person can be a
satisfactory answer to the problems at OPM”, said Representative
Adam Schiff of California, who serves on the House Intelligence
Committee, in response to Ms. Archuleta's resignation. He continued,
“...if there's a problem at one agency, there's likely a problem at
other agencies.”[2]
There
tends to be an attitude that a single point of failure is to blame
for information security incidents. While the OPM breach resulted in
the departure of the Director position, this single point of failure
is typically manifested in organizations by the Chief Information
Security Officer (CISO), whose average tenure will not last longer
than 2.1 years according to the Ponemon Institute. This is because
the most immediate reaction for most companies to a security incident
is a 'changing in the guard'.[3]
Along
with this change of the guard comes unrealistic expectations.
Security programs take time to implement and mature, but business
leaders too often expect more immediate results. This contributes to
a growing sales market of first-year CIOs and CISOs. For the former,
the top 25% spend over $1 million in their first year on the job.[3]
We
often say at SDGblue that 'strong personnel can compensate for weak
technology, but strong technology cannot compensate for weak
personnel'. Spending $1 million every two years on new hardware,
software and services will not necessarily solve a company's IT
needs, but investing in a strong team and providing them the
resources necessary to properly secure an IT infrastructure will pay
dividends in the long run.
[1]
Corbin, Kenneth. How
OPM data breach could have been prevented.
CIO. July 13, 2015.
http://www.cio.com/article/2947453/data-breach/how-opm-data-breach-could-have-been-prevented.html
[2]
Davis, Julie Hirschfeld. Katherine
Archuleta, Director of Personnel Agency, Resigns.
New York Times. July 10, 2015.
http://www.nytimes.com/2015/07/11/us/katherine-archuleta-director-of-office-of-personnel-management-resigns.html?emc=edit_na_20150710&nlid=66044131&ref=cta&_r=0
[3]
Schuck, Henry. High
CIO and CISO Turnover: What it Means for IT Sales.
DiscoverOrg. Feb. 5, 2015.
https://discoverorg.com/blog/high-cio-and-ciso-turnover-what-it-means-for-it-sales/
