OPM security chief: You're gonna need a bigger boat

Shutterstock image (by Tancha): shark attack vector.

(Tancha / Shutterstock)

How can you prep for the fallout when a big data breach strikes your agency?

There are a few things to know, said Jeff Wagner, director of security operations at the Office of Personnel Management. One of the most important is not to be "shocked that you're feeling overwhelmed."

He likened the feeling to the moment in the movie "Jaws" when Chief Brody first gets an eyeful of the shark and says, "We're gonna need a bigger boat."

At an Oct. 15 cybersecurity event presented by FCW, Wagner said everyone from the top managers to the CIO, communications staffers and congressional liaisons must know what to do if and when -- and increasingly, it seems to be a matter of "when" -- they get a call telling them about a data breach.

"Cybersecurity professionals are the only ones who can set management up for success," Wagner said. Non-specialists "don't know what they're looking at per se, so you need to set them up [and] pre-stage that kind of environment."

Preparing includes having preplanned talking points and timelines. It also means managing expectations. IT managers must prepare senior leaders for the reality that, as Wagner put it, "just because I find a breach at 9 a.m. doesn't mean I can give you an entire timeline of all systems affected and where the data loss is by noon."

In the wake of the OPM data breach, the government tightened agencies' ability to monitor the contractors that host their data. New contract language allows security pros like Wagner to do penetration testing and other data security checks.

"The government has now recognized that there's a huge hole [in the data security posture] and contractors are kind of that weak link," he said.

Before the breach, Wagner said, he would have had a hard time sending a couple of testers to a big contractor and demanding access to its systems. Things have changed.

"If I want to show up and root through your stuff, I'm showing up and rooting through your stuff," Wagner said. "Because it's not you reporting to Congress, it's me."

The OPM breach, which involved a data center operated by the Interior Department, has also served as a wakeup call to users of shared-services providers and improved collaboration between data owners and system owners.

"It strengthens a lot of things," Wagner told reporters after the event. "Now as we collaborate together, we're going to put these new controls in place. Instead of two groups that are now seen as entity silos, these two groups are now shared victims, and they simply work together better."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.