As nuggets of what was and was not done to protect information and systems at the OPM trickle out, its worth revisiting the issue of just where security falls out when it comes to organizational priorities, and why.
They are not taking security seriously.
This is a common refrain from security practitioners when talking about, well, just about anyone not in security. Most often it is directed at managers and executives in the “business” or “operations” division in any given organization. You know: where money gets made and how people get paid. Whenever a security problem arises that would infringe on an operation’s ability to make money, the business executives put the kibosh on whatever fix would address the problem and "accept the risk."
In response, the security practitioner will try to present data to help bolster their case. Some examples they might use:
Consumers lost an average of $1,800 in Internet crimes and a total of $535 million overall, according to the Internet Crime Complaint Center's annual report...
In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.'s in a matter of hours.
Most executives are not scared by these kinds of statistics from a strictly business point of view. Why? Because getting robbed doesn't really impact the top-line; improving security definitely eats into the bottom-line.
Consider the massive ATM hack mentioned above. The money quote (no pun intended) is related to the amount that was stolen, but not in the way you think:
"The U.S. accounts for about a quarter of the world’s card spending but about half of the world’s card fraud. The odd $45 million here or there doesn't make much difference to the overall calculation,” says Dave Birch, a director at electronic transactions consulting firm Consult Hyperion.
It boils down to the lack of a business case that is based purely on security.
Getting robbed sucks, but getting robbed of the loose change in your sofa doesn't merit dropping thousands of dollars in a new home alarm system and a pair of highly trained Dobermans.
The bottom line is: security that isn't in sync with the core business is never going to garner respect or accomplishing anything meaningful. If you want to spend the rest of your life as a digital janitor, cleaning up after other people exploit yesterday’s engineering messes, knock yourself out, just stop complaining about how not enough executive-level attention is being paid to the merits of Mr. Clean vs. Simple Green.
This is not a dig on janitors. Digital janitors in particular are not stupid, but their input rel to business goals often stands in opposition to what everyone else in the organization is trying to do. If, for example, I could increase the productivity of my sales force by allowing them admin privileges on their laptops and letting them install whatever productivity/time-management/scheduling/etc. software that they were most effective, I'm going to listen to the digital janitor and then accept the risk because a more effective sales force drives all the metrics I care about from lower-left to upper-right; the digital janitor wants to do something that not only doesn't drive my metrics in the right direction, it costs me extra money to boot.
Now, if I had a business goal to cut costs and the actual janitor came to me and said, "Boss, I've got a way to keep the floors and carpets just as clean as they are now, but it'll take half the time to complete the job and cost 1/3rds as much as it used to," I'm going to listen to that man because he's credible (talking about his area of expertise) and he's making a meaningful contribution to the business as a whole. The more security practitioners start to think about how security can enable business, the more respect they are going to get and the more they are going to get done. If you have an old copy of @Stake's Secure Business Quarterly tucked away somewhere, this will sound familiar.
Fighting the power only works if you're a rap star: everyone else has to bow down to the gods of revenue and profit (or the governmental equivalent thereof). I don't doubt that the security practitioners at OPM were doing everything they could to keep their enterprise secure, but while security is one of OPM leadership's responsibilities, its not a function of the Office, and consequently it was never going to be a top priority.
At least it wasn't...