I frequently write for actual publications and my latest article is an analysis of the OPM breach. What I hope makes mine different is that I tried to avoid the schadenfreude so common in the industry and focus on what we could all learn and correct in our own organizations.
When Office of Personnel Management (OPM) Director Katherine Archuleta gave her cringe-worthy testimony before Congress earlier this summer, it felt like a nightmare from the IT collective unconscious. A series of embarrassing appearances revealed she didn’t seem to know essential details of the OPM hack or understand the problems that allowed OPM to be compromised twice in one year. Her resignation seemed a forgone conclusion and a relief for the .GOV crowd.
So what went wrong?
It would be a mistake to categorize the compromise as simply a failure in OPM’s security strategy, because the agency’s entire information technology program was a management catastrophe — a guidebook in what not to do. In watching testimony and reading reports from the Office of the Inspector General (OIG), it isn’t only the security failures that stand out, but clueless leadership that flunked at basic strategy and risk management. This kind of negligence is all too familiar to those of us with any tenure in IT. Reading those OIG reports feels like déjà vu, because they could be about almost any enterprise.
Full article continued here.