IoT
IoT
Government // Cybersecurity
News
7/14/2015
07:06 AM
Thomas Claburn
Thomas Claburn
Slideshows
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

14 Security Fails That Cost Executives Their Jobs

Katherine Archuleta, the director of the Office of Personnel Management, is the latest casualty of a data breach, but she's certainly not the only one. There's no job security when your job is security.
Previous
1 of 15
Next

Katherine Archuleta, former director of the Office of Personnel Management, speaking at a United States Department of Agriculture event in 2014.
(Image: USDA photo by Todd Witham via Flickr under CC02 license )

Katherine Archuleta, former director of the Office of Personnel Management, speaking at a United States Department of Agriculture event in 2014.

(Image: USDA photo by Todd Witham via Flickr under CC02 license )

You had one job: Secure the data. What happened?

Life as a CEO, CIO, or CTO is a bit more complex than that. Not every executive is directly responsible for IT security. Few have a deep understanding of it.

But in our networked world, IT security is the foundation of a successful business, and blame is shared when the floor collapses. Organizational leaders may prefer to focus on the big picture, but inattention to security has proven to be a poor career move.

Katherine Archuleta, the director of the US Office of Personnel Management, is the latest casualty of a data breach. She resigned on Friday following revelations that hackers had made off with the data of 21.5 million people who applied for government background checks. Her agency previously disclosed that the personal information of more than 4.2 million federal workers had been compromised.

In a May 2015 study, based on information from 350 companies, IBM and the Ponemon Institute found that the average total cost of a data breach increased to $3.79 million from $3.52 million last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 last year. That's a global average. In the US, the cost per capita reached $217.

By that measure, the theft of 25.7 million OPM records could cost almost $5.6 billion. If only those funds could be added to the $14 billion proposed for cybersecurity in FY2016. After all, the OPM breach could have serious, long-term implications for national security.

Monetary costs tell us nothing about the angst and inconvenience visited upon the victims of a breach, or the personal and professional toll paid by whoever accepts responsibility.

It's infuriating for data theft victims to be forced to worry about fraud and identity theft due to someone else's errors, ignorance, or incompetence. At the same time, it's difficult not to be a bit sympathetic to those called upon to maintain security using systems and people who are unavoidably flawed. Those who do the job well succeed, in part, because there's someone else out there doing the job less well, someone running an organization that's an easier target.

When you look at the list of companies that have been hacked in some way, it becomes apparent that even the most technically sophisticated organizations can be breached given a sufficiently well-funded, determined attacker. Speaking on 60 Minutes in 2014, FBI Director James Comey put it this way: "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese."

And Chinese hackers are not the only hackers in the world.

Given the vulnerability of IT systems, the first act of an incoming CEO, CIO, or CTO should be to write a resignation letter, apologizing for the "unforeseen" data breach that everyone feared was coming. Ideally, the letter's presence will serve as a reminder to prioritize security concerns.

With luck and diligence, the letter will never need to be tendered. But many executives have not been so fortunate or attentive. Here are a few who have stepped aside or been forced out following a breach. Maybe there's a lesson here, or maybe we're all just waiting for the other shoe to drop.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Previous
1 of 15
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
emmet_b
50%
50%
emmet_b,
User Rank: Apprentice
10/6/2015 | 1:37:27 PM
RE: 14 Security Fails
I was livid when I was contacted by the VA and informed I was one of those veterans whose data may have been compromised by this colossally halfwitted action by its employee. Just goes to show you that for all the research done to protect data, it cannot protect from a real world moronic activity by someone entrusted to protect that data. 
kstaron
50%
50%
kstaron,
User Rank: Ninja
7/28/2015 | 12:15:19 PM
Do what you can
Before a security fail, you want to make certain that you can honestly say "we did things right." and if possible "We did everything in our power to secure this data with the resources we were given." at the very least, if you can do that the blame can be put more squarely on the budget given for such things and not the IT people responsible for keeping things safe. All you can do is wahat you can, and try to mitigate and potential breach hazards.
RyanG690
100%
0%
RyanG690,
User Rank: Apprentice
7/16/2015 | 2:26:05 PM
Sophistication won't protect you from dumb
There is little doubt at this point, given the access to enough resources and the will, any network can be hacked,.

However, the breach you describe at the OPM that cost Katherine Archuleta her job, and is also the case for most of the high profile hacks we have seen in the headlines over the past 2 years speciifcally, have all resulted from non existent or insufficient management of privlieged user and privlieged service accounts. 

Giving root access, to government databases, to a thrid party provider, in a foriegn country....that's just dumb. 

It's akin to buidling a castle with huge walls, a moat, and even adding some boiling oil , all the "sophistication" in the world...but failing to raise the drawbridge before a battle.

Are you really surprised when it gets ransacked? Seriously? 

A simple , least privlieged approach or using role based access controls to manage priliveged users and privileged accounts would have prevented this "type" of breach.

Sure, the credentials could have been exploited eventually, given the time, but not putting up a first line of defense over your most potential catstrophic vulnerbaility, leaves me dumfounded to know...what big picture are these IT leaders looking at?
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 21, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.