14 Security Fails That Cost Executives Their Jobs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
07:06 AM
Thomas Claburn
Thomas Claburn
Connect Directly

14 Security Fails That Cost Executives Their Jobs

Katherine Archuleta, the director of the Office of Personnel Management, is the latest casualty of a data breach, but she's certainly not the only one. There's no job security when your job is security.
1 of 15

Katherine Archuleta, former director of the Office of Personnel Management, speaking at a United States Department of Agriculture event in 2014.
(Image: USDA photo by Todd Witham via Flickr under CC02 license )

Katherine Archuleta, former director of the Office of Personnel Management, speaking at a United States Department of Agriculture event in 2014.

(Image: USDA photo by Todd Witham via Flickr under CC02 license )

You had one job: Secure the data. What happened?

Life as a CEO, CIO, or CTO is a bit more complex than that. Not every executive is directly responsible for IT security. Few have a deep understanding of it.

But in our networked world, IT security is the foundation of a successful business, and blame is shared when the floor collapses. Organizational leaders may prefer to focus on the big picture, but inattention to security has proven to be a poor career move.

Katherine Archuleta, the director of the US Office of Personnel Management, is the latest casualty of a data breach. She resigned on Friday following revelations that hackers had made off with the data of 21.5 million people who applied for government background checks. Her agency previously disclosed that the personal information of more than 4.2 million federal workers had been compromised.

In a May 2015 study, based on information from 350 companies, IBM and the Ponemon Institute found that the average total cost of a data breach increased to $3.79 million from $3.52 million last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 last year. That's a global average. In the US, the cost per capita reached $217.

By that measure, the theft of 25.7 million OPM records could cost almost $5.6 billion. If only those funds could be added to the $14 billion proposed for cybersecurity in FY2016. After all, the OPM breach could have serious, long-term implications for national security.

Monetary costs tell us nothing about the angst and inconvenience visited upon the victims of a breach, or the personal and professional toll paid by whoever accepts responsibility.

It's infuriating for data theft victims to be forced to worry about fraud and identity theft due to someone else's errors, ignorance, or incompetence. At the same time, it's difficult not to be a bit sympathetic to those called upon to maintain security using systems and people who are unavoidably flawed. Those who do the job well succeed, in part, because there's someone else out there doing the job less well, someone running an organization that's an easier target.

When you look at the list of companies that have been hacked in some way, it becomes apparent that even the most technically sophisticated organizations can be breached given a sufficiently well-funded, determined attacker. Speaking on 60 Minutes in 2014, FBI Director James Comey put it this way: "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese."

And Chinese hackers are not the only hackers in the world.

Given the vulnerability of IT systems, the first act of an incoming CEO, CIO, or CTO should be to write a resignation letter, apologizing for the "unforeseen" data breach that everyone feared was coming. Ideally, the letter's presence will serve as a reminder to prioritize security concerns.

With luck and diligence, the letter will never need to be tendered. But many executives have not been so fortunate or attentive. Here are a few who have stepped aside or been forced out following a breach. Maybe there's a lesson here, or maybe we're all just waiting for the other shoe to drop.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 15
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/6/2015 | 1:37:27 PM
RE: 14 Security Fails
I was livid when I was contacted by the VA and informed I was one of those veterans whose data may have been compromised by this colossally halfwitted action by its employee. Just goes to show you that for all the research done to protect data, it cannot protect from a real world moronic activity by someone entrusted to protect that data. 
User Rank: Ninja
7/28/2015 | 12:15:19 PM
Do what you can
Before a security fail, you want to make certain that you can honestly say "we did things right." and if possible "We did everything in our power to secure this data with the resources we were given." at the very least, if you can do that the blame can be put more squarely on the budget given for such things and not the IT people responsible for keeping things safe. All you can do is wahat you can, and try to mitigate and potential breach hazards.
User Rank: Apprentice
7/16/2015 | 2:26:05 PM
Sophistication won't protect you from dumb
There is little doubt at this point, given the access to enough resources and the will, any network can be hacked,.

However, the breach you describe at the OPM that cost Katherine Archuleta her job, and is also the case for most of the high profile hacks we have seen in the headlines over the past 2 years speciifcally, have all resulted from non existent or insufficient management of privlieged user and privlieged service accounts. 

Giving root access, to government databases, to a thrid party provider, in a foriegn country....that's just dumb. 

It's akin to buidling a castle with huge walls, a moat, and even adding some boiling oil , all the "sophistication" in the world...but failing to raise the drawbridge before a battle.

Are you really surprised when it gets ransacked? Seriously? 

A simple , least privlieged approach or using role based access controls to manage priliveged users and privileged accounts would have prevented this "type" of breach.

Sure, the credentials could have been exploited eventually, given the time, but not putting up a first line of defense over your most potential catstrophic vulnerbaility, leaves me dumfounded to know...what big picture are these IT leaders looking at?
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll