The Culture of Cyber Insecurity

Data breaches at OPM, Target, Sony and others have gotten everyone’s attention on the issue of cybersecurity and the challenge of securing Personally Identifiable Information. Agencies are reviewing systems, the White House, DoD, OPM, the FBI and others are investigating the OPM breach, and Congress is holding hearings. There will be requests for money for better technology, and agency leaders are making promises about securing employee data. All good. Right?

Not necessarily. The OPM breach exemplifies the cultural problem that besets the cybersecurity of the government and the private sector – the failure to recognize that cybersecurity is a challenge that must be owned by the entire enterprise.  Everyone – CIO, CISO, CFO, COO, communications, human resources – must be part of plans and programs necessary for effective cybersecurity. It is a massive technology challenge that requires the best tools and talent. I am not a technologist, so I will leave the technical aspects of the issue to my ICF colleague, Sam Visner. His paper on Whole of Enterprise Cybersecurity Planning and Recovery is a great read and it makes the point – effective cybersecurity requires programs that are end-to-end (from plans through incident response) and involve the entirety of an enterprise.

At the same time we are using the best available security tools, we must also address the culture issues that contribute to vulnerabilities or the technology cannot protect us. This culture reduces cybersecurity to “merely” a technical challenge. 

Read the rest of this post at the Washington Post