OPM security chief: You're gonna need a bigger boat

How can you prep for the fallout when a big data breach strikes your agency?

There are a few things to know, said Jeff Wagner, director of security operations at the Office of Personnel Management. One of the most important is not to be "shocked that you're feeling overwhelmed."

He likened the feeling to the moment in the movie "Jaws" when Chief Brody first gets an eyeful of the shark and says, "We're gonna need a bigger boat."

At an Oct. 15 cybersecurity event presented by FCW, Wagner said everyone from the top managers to the CIO, communications staffers and congressional liaisons must know what to do if and when -- and increasingly, it seems to be a matter of "when" -- they get a call telling them about a data breach.

"Cybersecurity professionals are the only ones who can set management up for success," Wagner said. Non-specialists "don't know what they're looking at per se, so you need to set them up [and] pre-stage that kind of environment."

Preparing includes having preplanned talking points and timelines. It also means managing expectations. IT managers must prepare senior leaders for the reality that, as Wagner put it, "just because I find a breach at 9 a.m. doesn't mean I can give you an entire timeline of all systems affected and where the data loss is by noon."

In the wake of the OPM data breach, the government tightened agencies' ability to monitor the contractors that host their data. New contract language allows security pros like Wagner to do penetration testing and other data security checks.

"The government has now recognized that there's a huge hole [in the data security posture] and contractors are kind of that weak link," he said.

Before the breach, Wagner said, he would have had a hard time sending a couple of testers to a big contractor and demanding access to its systems. Things have changed.

"If I want to show up and root through your stuff, I'm showing up and rooting through your stuff," Wagner said. "Because it's not you reporting to Congress, it's me."

The OPM breach, which involved a data center operated by the Interior Department, has also served as a wakeup call to users of shared-services providers and improved collaboration between data owners and system owners.

"It strengthens a lot of things," Wagner told reporters after the event. "Now as we collaborate together, we're going to put these new controls in place. Instead of two groups that are now seen as entity silos, these two groups are now shared victims, and they simply work together better."