Wired waxing poetic on the OPM hack and quite possibly the most important lesson to be learned from the breach: great defense is never enough:
I’m not saying such things wouldn’t help. But higher and thicker digital walls, while necessary, are an insufficient response. To seriously respond to hacking, we need far more sophisticated data-handling techniques behind the walls we erect: access control management, tracking and auditing; anonymization; encryption; separation of certain data from other data; and data destruction policies that are real and enforced. These tactics go beyond security and land squarely in the realm of privacy.
Professionals trained in the practice and art—yes it’s often an art—of privacy must be working hand in hand with IT professionals to inventory data, making sure that data is useful and necessary. What’s left should be made virtually useless to the outside world should the hackers get in.
The IT department certainly can’t do it alone. While it might implement the controls, or work the technology and push the buttons, it takes a trained professional to think about a company’s data handling processes holistically and in light of organizational goals. There should be policies and plans that everyone in the organization can be involved with and work toward, overseen by individuals with training for the job,
I continue to evangelize similar thoughts, and even fought similar battles when working for the Department of Defense. Until the military and government leaders both understand and sympathize with cyber defense, they will continue to ignore it, or place very little emphasis on its importance.
Cyber security is a political battle in DoD, and one requiring the right connections and proper amount of savvy. It should not be that way though; cyber security should be ingrained in DoD and US government culture. Until the sun dawns on that day, we will continue to see these types of unnecessary breaches.