Contracts can also limit versatility. The CIO of a major federal agency wanted my company to assess how to make his agency's security awareness program better. But his contracts team informed him that the agency could not use us for an inexpensive assessment of the program because we were not part of the team that won the agency's IT support contract.
6. We suffer from detection deficit disorder
"Detection deficit disorder" is a term coined by Araceli Treu Gomes that applies to organizations that might or might not have insufficient protection capabilities, but also poor detection capabilities. For example, the OPM hack was only detected when a vendor was demonstrating its tools at the OPM. The attack had been going on for months. The IRS failed to detect a breach until after 200,000 breach attempts.
Cases of long-term breaches without detection are rampant throughout government and industry. It is impossible for all attacks to be thwarted, but proper detection is critical to any sufficient security program.
There are more reasons
There are of course many other reasons for the failures that keep occurring. These include poor security awareness programs, the offshoring of job functions, poor training and improper hires. This article would never end if I went into each possible reason why government agencies will continue to suffer major breaches. But I think I can predict with complete certainty that there will be many more OPM-type hacks of federal agencies, as well as commercial organizations.
Sign up for CIO Asia eNewsletters.