Last week, Katherine Archuleta stepped down as the director of the Office of Personnel Management in the wake of two breaches to her agency’s IT systems, which exposed the personal data of millions of former and current federal employees and contractors.
Alan Paller and John Pescatore of the SANS Institute wrote the following letters to the editor explaining why Archuleta’s departure may not be a fair nor effective means for addressing the cybersecurity problems at OPM.
The sad fact in the federal government is that it is easier to punish a department head than a CIO. AsVerizon and other breach investigation reports invariably point out, the majority of breaches could have been prevented by basic “security hygiene” — a la the Critical Security Controls. Most of the failures in configuration management, patching and privilege management are IT operations failures that many CIOs allow to continue and at best try to spackle over with “security.” The CIO at Target was the first fired after their breach – I’d really like to see more focus on the IT operations side at government agencies as Federal CIO Tony Scott’s rapid cybersecurity review proceeds. — John Pescatore
John is correct, in part. For fair accountability in this case and to actually change behavior in the right way, one other person (in addition to the CIO) needs to be fired and two others need to be demoted. The other firing is the security audit director on OPM’s Inspector General’s staff for auditing the wrong things. This is a critical action. Without it, IGs will continue to drive federal cybersecurity into the toilet. The two people who need demoting and retraining are (1) the current CISO at OPM who appears to lack the technical skills to implement effective defense, discovery, containment and recovery, and (2) the OMB executive who has failed for half a decade to ensure agencies measure the right things. Great IGs could have gone on and measured the wrong (OMB metrics) as well as the right things, but this OMB official tied one of the IG’s hands behind his/her back. — Alan Paller