This week the breach at the Office of Personnel Management raised questions of accountability in the public sector. IT experts wonder how such a large exfiltration of data was possible without detection. Bryan Sastokas, CIO of the City of Long Beach, shared a helpful list of security intelligence providers that rely on publicly available data feeds. That makes these tools excellent resources for government agencies working under a limited security budget.
To Improve Security, Governments Need Accurate, Timely Intelligence http://t.co/xWgeMTnx7b
— Bryan M. Sastokas (@bsastokas) July 11, 2015
Regardless of budget, the fact still stands that OPM had puzzlingly significant information security shortcomings. IT professionals, some of whom the breach affected, are outraged that the designated caretaker for the most sensitive personal information broke the public’s trust. Jonathan Reichental, CIO of the city of Palo Alto, shared an article on the overarching issues behind government security deficiencies. To start, the article points to the need for collective buy-in on security efforts. Another interesting point is the mention the OPM’s decision not to shut down outdated information systems. The lack of multi-factor authentication on the OPM’s server was seen as one of the root causes of the breach, but the organization was stuck between a rock and a hard place on this front. The agency’s 2014 Information Security Audit recommended shutting down the system to protect sensitive data, but as soon as the OPM’s IT team complied with this request, they received immediate responses from multiple US senators and the Professional Services Council. This incident should resonate with CIOs at all organizations. Security is a constant push and pull between selectively enabling and prohibiting access to data; this is why we like the phrase “risk management.” In the OPM’s case, the operational need for access to data ultimately led to catastrophic compromise. IT can’t neglect the operational considerations that come with security, but they also cannot deprioritize security health checks indefinitely.
This is why the government keeps getting hacked http://t.co/6VkFxAOUrw
— Jonathan Reichental (@Reichental) July 13, 2015
This breach marks yet another failure on the part of outdated legacy systems. Eric Vanderburg of JurInnov shared an article quoting Amazon CTO Werner Vogels that should be mandatory reading for IT at the OPM and other organizations resisting cloud adoption. Vogels’ argument is that “you can actually move to the cloud to improve your security, compliance, and governance.” In many situations operations and security go hand in hand, and cloud computing offers unparalleled benefits in agility and innovation that ultimately extend to security. Rather than withhold migration to the cloud out of security concerns, companies should move full steam ahead and take advantage of the cutting edge security features offered by leading cloud providers.
— Eric Vanderburg (@evanderburg) July 10, 2015
Enterprise-ready cloud services offer top-notch security features, but only in CIOs’ dreams do employees stick exclusively to the cloud applications provided by IT. In fact, employees are almost certainly using high-risk cloud applications regardless of organizational policies; in the average company employees collectively use 923 cloud services. Larry Larmeu of Hancock Bank is spot on in advocating for an enablement framework for shadow IT. Blocking cloud adoption on the business user level not only stifles innovation and collaboration, but can also push employees towards even higher risk services.
You have to create an enabling framework rather than a prohibiting policy when it comes to cloud and shadow IT.
— Larry (@LarryLarmeu) July 10, 2015
The OPM director’s resignation marked another departure of a top official in the wake of a data breach. Unfortunately, the industry still has progress to make in information security’s visibility. In a PWC report shared by Chris Curran, 87% of CEOs said they were worried cyberthreats could impact growth prospects, but 30% of respondents said no board committees or members are engaged in cyber risks. Despite the scale of recent attacks, companies have a ways to go to integrating information security with overall corporate risk management and governance.
— Chris Curran (@cbcurran) July 9, 2015
Cloud Security Report for Executives and the Board
This essential template provides an outline of how to present your cloud usage and security.