July 10, 2015 by Jeffrey Neal (c) Washington Post

Jeffrey Neal is the former personnel chief at the Department of Homeland Security and is now a senior vice president for ICF International. In his career in the federal government, he also served as Director of Human Resources for the Defense Logistics Agency. He writes about management and human capital issues in the federal government on his blog,ChiefHRO.com. Neal is contributing his thoughts to the Federal Eye today on the massive hacks of federal employee data.

The Culture of Cyber Insecurity

Data breaches at the Office of Personnel Management, Target, Sony and others have gotten everyone’s attention on the issue of cybersecurity and the challenge of securing personally identifiable information. Agencies are reviewing systems; the White House, Defense Department, OPM, the FBI and others are investigating the OPM breach; and Congress is holding hearings. There will be requests for money for better technology, and agency leaders are making promises about securing employee data. All good. Right?

Not necessarily. The OPM breach exemplifies the cultural problem that besets the cybersecurity of the government and the private sector – the failure to recognize that cybersecurity is a challenge that must be owned by the entire enterprise.  Everyone – CIO, CISO, CFO, COO, communications, human resources – must be part of plans and programs necessary for effective cybersecurity. It is a massive technology challenge that requires the best tools and talent. I am not a technologist, so I will leave the technical aspects of the issue to my ICF colleague, Sam Visner. His paper on Whole of Enterprise Cybersecurity Planning and Recovery is a great read and it makes the point – effective cybersecurity requires programs that are end-to-end (from plans through incident response) and involve the entirety of an enterprise.

At the same time we are using the best available security tools, we must also address the culture issues that contribute to vulnerabilities or the technology cannot protect us. This culture reduces cybersecurity to “merely” a technical challenge. Let’s take a look at a few examples:

Shut it down! Oh … Not so fast.

When a system that manages and processes sensitive data has glaring security deficiencies, the first reaction may be to shut it down until the problems can be fixed. OPM’s inspector general made just such a recommendation – “We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization.” – in hisNovember 2014 Federal Information Security Management Act Audit. The threat of shutting down a system is one way to protect vital data and force program managers address security issues. So what happened when OPM temporarily shut down the e-QIP system because of security flaws? There was an immediate response from Sens. Mark R. Warner (D-Va.) and Timothy M. Kaine (D-Va.), who were legitimately concerned about the effect of the shutdown on security clearance processing. There was also a letter from the Professional Services Council, writing on behalf of the contractor community, asking OPM to clarify how it would mitigate the effects of its decision. Both OPM’s decision to temporarily shut down the system and the questions about the impact of that decision were equally sound. OPM would be criticized no matter which decision they made. Shutting down critical systems is an extreme risk mitigation action that is not always practical. It can indicate a flawed tool, sloppy development or inadequate program management that allowed a product to get to the point where it needed to be shut down.

To read the rest of the article follow: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/10/this-is-why-the-government-keeps-getting-hacked/?wpisrc=nl_headlines&wpmm=1

InCyber Comments:

The InCyber PAS Pro-Active and Predicting System has been proven 100% effective against Insider Threats. For additional information write to: info@incyber.co We are now offering a Free Insider Penetration Test for up to 500 Employees using your own historical data.