There was plenty of blame and fault to be shared in the aftermath of the OPM incident LAS VEGAS – Black Hat 2015 is underway, and the corporate side of hacking has taken center stage. There are plenty of hot topics this year, but the mess at the OPM is something that is still generating buzz months after the fact.Last month, House Oversight Committee Chairman Jason Chaffetz disclosed that in addition to the 4.2 million records that were previously reported compromised in June, OPM discovered a second incident during that investigation that impacted 21.5 million people, and 19.5 million of them had applied for security clearance.A day later, OPM director, Katherine Archuleta resigned from her position. The resignation wasn’t unexpected, as calls for her removal had started shortly after the first incident was announced.However, some experts think that her resignation shouldn’t have been the only one, and that others should have been punished as well. John Pescatore, director of the SANS Institute, said it’s the sad fact in the federal government is that it’s easier to punish a department head than a CIO. “As Verizon and other breach investigation reports invariably point out, the majority of breaches could have been prevented by basic “security hygiene” – a la the Critical Security Controls. Most of the failures in configuration management, patching and privilege management are IT operations failures that many CIOs allow to continue and at best try to spackle over with ‘security.’ The CIO at Target was the first fired after their breach – I’d really like to see more focus on the IT operations side at government agencies as Federal CIO Tony Scott’s rapid cybersecurity review proceeds.”However, Alan Paller, founder and research director of the SANS Institute, said that while Pescatore was right in part, in order to get fair accountability in this situation and to actually change behavior, there is one other person (in addition to the CIO) who needs to be fired, and two others who need to be demoted. “The other firing is the security audit director on OPM’s Inspector General’s staff for auditing the wrong things. This is a critical action. Without it, IGs will continue to drive federal cybersecurity into the toilet. The two people who need demoting and retraining are (1) the current CISO at OPM who appears to lack the technical skills to implement effective defense, discovery, containment and recovery, and (2) the OMB executive who has failed for half a decade to ensure agencies measure the right things.”Do you agree? Disagree? Leave a comment below and share your thoughts. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe