TRENDING:

Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Lessons from the OPM Breach

BitSight's Jacob Olcott on Managing Third-Party Risks Information Security Media GroupJuly 14, 2015     10 Minutes   
Lessons from the OPM Breach
Jacob Olcott, BitSight Technologies

The Office of Personnel Management breach is not just the biggest in U.S. government history. It's also likely a classic case of third-party risk management, says Jacob Olcott of BitSight Technologies.

In fact, in all that is being discussed about the OPM breach - attribution, the extent of the damage, whom should be held accountable - one of the least illuminated questions is "How did it happen," says Olcott, VP of Business Development at BitSight.

But the signs point to this being an all-too-common oversight in managing third-party risks.

"What we have heard through the [congressional] testimony is that there is a series of organizations that have been involved with the breach outside the Office of Personnel Management," Olcott says. So, if you are a security leader at OPM, "You not only have to worry about the security posture of your network - where the data is stored - but also how these other organizations may be involved in protecting that data as well."

The first question OPM - or any similarly breached organization - must answer, he says, is: "What were our security expectations, and how were our expectations being met?"

In an interview about the OPM breach and its resulting fallout, Olcott discusses:

  • Post-OPM questions to answer re: accountability;
  • How organizations can avoid being the next OPM;
  • The business value of rating security capabilities of third-party service providers.

Olcott is part of the senior leadership team at BitSight Technologies and has a long history in helping to shape both the practice and legislation of cybersecurity. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, he served as legal advisor to the Senate Commerce Committee, where he acted as Chairman John D. Rockefeller's lead negotiator on comprehensive cybersecurity legislation. He also served as counsel to the House of Representatives Homeland Security Committee.

Previous
OPM Breach: Get Your Priorities Straight
Next
Buyer's Guide to DDoS Mitigation



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.