OPM security chief: You're gonna need a bigger boat

Shutterstock image (by Tancha): shark attack vector.

(Tancha / Shutterstock)

How can you prep for the fallout when a big data breach strikes your agency?

There are a few things to know, said Jeff Wagner, director of security operations at the Office of Personnel Management. One of the most important is not to be "shocked that you're feeling overwhelmed."

He likened the feeling to the moment in the movie "Jaws" when Chief Brody first gets an eyeful of the shark and says, "We're gonna need a bigger boat."

At an Oct. 15 cybersecurity event presented by FCW, Wagner said everyone from the top managers to the CIO, communications staffers and congressional liaisons must know what to do if and when -- and increasingly, it seems to be a matter of "when" -- they get a call telling them about a data breach.

"Cybersecurity professionals are the only ones who can set management up for success," Wagner said. Non-specialists "don't know what they're looking at per se, so you need to set them up [and] pre-stage that kind of environment."

Preparing includes having preplanned talking points and timelines. It also means managing expectations. IT managers must prepare senior leaders for the reality that, as Wagner put it, "just because I find a breach at 9 a.m. doesn't mean I can give you an entire timeline of all systems affected and where the data loss is by noon."

In the wake of the OPM data breach, the government tightened agencies' ability to monitor the contractors that host their data. New contract language allows security pros like Wagner to do penetration testing and other data security checks.

"The government has now recognized that there's a huge hole [in the data security posture] and contractors are kind of that weak link," he said.

Before the breach, Wagner said, he would have had a hard time sending a couple of testers to a big contractor and demanding access to its systems. Things have changed.

"If I want to show up and root through your stuff, I'm showing up and rooting through your stuff," Wagner said. "Because it's not you reporting to Congress, it's me."

The OPM breach, which involved a data center operated by the Interior Department, has also served as a wakeup call to users of shared-services providers and improved collaboration between data owners and system owners.

"It strengthens a lot of things," Wagner told reporters after the event. "Now as we collaborate together, we're going to put these new controls in place. Instead of two groups that are now seen as entity silos, these two groups are now shared victims, and they simply work together better."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Wed, Nov 11, 2015

Jeff Wagner who ignored requirements fo strengthening security for applications, data, and NOT installing end to end monitoring is now the expert? How do the OPM CIO and Jeff all of a sudden pat themselves on the back for fixing a situation they ignored? UGH!

Wed, Oct 21, 2015 Bob

It was DOI? I had no idea till this comment. I know when the DOI was tasked with all our payroll and I saw their pay stubs many years ago, I thought, "we're really sliding". Like other govt agencies, DOI doesn't have the money or the talent to do things right. How the heck did DOI end up in the critical path in the first place? I suspect lawmakers wanted to centralize stuff (which in the short term saves money) so they put all the ships in the same harbor making a breach MUCH more damaging in the long run.

Thu, Oct 15, 2015 DOI no more Washington DC

Finally everyone is finding out DOI was really the agency responsible for the data breech! It's about time....

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group