Lessons from the OPM BreachBitSight's Jacob Olcott on Managing Third-Party Risks
The Office of Personnel Management breach is not just the biggest in U.S. government history. It's also likely a classic case of third-party risk management, says Jacob Olcott of BitSight Technologies.
In fact, in all that is being discussed about the OPM breach - attribution, the extent of the damage, whom should be held accountable - one of the least illuminated questions is "How did it happen," says Olcott, VP of Business Development at BitSight.
But the signs point to this being an all-too-common oversight in managing third-party risks.
"What we have heard through the [congressional] testimony is that there is a series of organizations that have been involved with the breach outside the Office of Personnel Management," Olcott says. So, if you are a security leader at OPM, "You not only have to worry about the security posture of your network - where the data is stored - but also how these other organizations may be involved in protecting that data as well."
The first question OPM - or any similarly breached organization - must answer, he says, is: "What were our security expectations, and how were our expectations being met?"In an interview about the OPM breach and its resulting fallout, Olcott discusses:
- Post-OPM questions to answer re: accountability;
- How organizations can avoid being the next OPM;
- The business value of rating security capabilities of third-party service providers.
Olcott is part of the senior leadership team at BitSight Technologies and has a long history in helping to shape both the practice and legislation of cybersecurity. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, he served as legal advisor to the Senate Commerce Committee, where he acted as Chairman John D. Rockefeller's lead negotiator on comprehensive cybersecurity legislation. He also served as counsel to the House of Representatives Homeland Security Committee.