Would you take a job as a chief information security officer for $100,000 a year? It seems no qualified IT security manager wanted the job as CISO at South Carolina's Department of Revenue for that salary.
See Also: 2016 Social Engineering Report
While the CISO post stood vacant this past summer, at least one assailant hacked into the department's tax system, exposing the Social Security numbers and other personally identifiable information of nearly 4 million taxpayers. The breach will cost the state at least $12 million to address its aftermath [see Stolen Password Led to South Carolina Tax Breach].
I almost fell out of my chair. For $25,000, we wouldn't be here.
A special state Senate panel held a hearing on the breach Nov. 28, and according to a report in The State newspaper, revenue department Director James Etter told the committee the agency didn't have a CISO for nearly a year because it could not draw candidates for a $100,000 salary, about half of what the private sector pays.
According to the paper, Revenue Department CIO Mike Garon filled the security role, but he left the agency in September for undisclosed reasons unrelated to the hacking.
After the hearing, the special investigative panel's cochair Sen. Kevin Bryant told the paper that he was upset that the department left the job open so long without asking for help from lawmakers, saying: "How many banks go 11 months without a security guard?"
South Carolina isn't the only state with limited resources to fund IT security staff and equipment. To tackle the resources challenge, the state of Delaware has implemented a certification program that gives its departmental and divisional information security officer, many of whom hold other IT jobs, the skills needed to safeguard IT [see On the Job Training for ISOs].
With an apparent dearth of IT security expertise on hand, one must wonder if the South Carolina Revenue Department conducted a risk assessment prior to the breach. An investigation conducted for the state by the IT security firm Mandiant revealed that the agency failed to require multiple passwords to access sensitive data. Once inside the system, the hacker had access to unencrypted PII, including Social Security numbers.
At the special committee hearing, Etters told the senators the state is spending $25,000 for a dual password system. Such a system - which requires users to input two passwords, including one that changes every minute - likely would have prevented the breach. "I almost fell out of my chair," Bryant said. "For $25,000, we wouldn't be here."