Chris Pogue has a special interest in last year’s US Office of Personnel Management data security breach – his details were among those that were stolen.
Pogue, chief information security officer at Nuix, spent several years in the US army teaching cyberwarfare. His was one of the 21.5 million government-employed individuals whose information ended up in the hands of attackers who were probably state-sponsored.
This month, the Oversight Committee investigating the hack issued its report on the matter. It was damning by any standard, and accused OPM management of failure to acknowledge cybersecurity threats, or prioritize resources for cybersecurity.
The upshot, according to Pogue? “It’s not a failure of technology. It was a failure in leadership. It was a failure in planning. It was a failure in really understanding the threat,” he says.
We need a new way to think about cybersecurity and protect our organizations, he says. This is what he’ll be discussing in his keynote address at the SecTor security conference this October.
The OPM report punctuates something that Pogue has been researching since becoming a CISO. When he took on that role, he spoke to many other CISOs to find out where these problems were coming from.
Ultimately, security flaws aren’t a technology problem, says Pogue. They won’t be solved simply by throwing more products at them. Instead, they’re a people problem. “Data breaches are the result of human activity,” he says. Companies aren’t understanding the threats, or how to apply the right technologies to mitigate them.
Pogue looked at other scenarios outside the technology world to better understand how these management schisms occur, and how they can be solved.
One example lies in healthcare and epidemiology, Pogue says, citing the 2014 Ebola outbreak. After speaking to people at the WHO, he found that the organization knew how to prevent the spread of disease. A contributing factor to the spread was bad planning and not getting the right people on the ground in time, he suggests.
The paradox is that the guys on the ground are often those with the expertise to prevent these problems, but those higher up in the hierarchy often won’t listen to them. “The operational guys have a better understanding than the tacticians or the strategy guys,” he says.
The answer is to win your employees’ hearts and minds, he says, and to bridge the operational disconnect. Reply on a combination of people and technology to bolster your defenses, he says. “You have to understand that you can’t just spend money on technology. You also have to spend the same sort of money on people, and that you have to retain and empower them.”
Empowering operations staff is a key part of this puzzle. Managers don’t have to be the smartest guys in the room, he says. In fact, it’s better if they aren’t. “I realize that my role as a CISO is to build a high-powered team,” he says. Build a team containing operational and tactical staff with expertise in different disciplines, and then use it.
This can be a challenge for many CISOs, he suggests, arguing that they either don’t come from a technical background and don’t understand it, or rose up via the technical route and don’t want to defer to other techies, even if those people are capable and smart. It’s time for CISOs to let go and give those people their due, he asserts.
“You maintain ultimate authority, but empowering your directors and your senior managers the ability to execute and make things happen is such a good working model.”
This kind of thinking can entail a huge cultural change at a large organization. In some ways, it’s like turning an oil tanker around. Perhaps it would have taken years at the OPM. But because it didn’t happen, someone who shouldn’t now has the intimate details of over 10% of the US adult population. To avoid that happening again, isn’t it worth rethinking the way that we do things?