SecureState Blog

Read SecureState's award winning blog.

4 Lessons Learned from the JP Morgan Chase Data Breach

After the revelation that over 76 million users and 7 million businesses were affected by the recent JP Morgan Chase & Co. (JPM) data breach, many observers are wondering what lessons can be learned from the entire affair. In the days shortly after the breach was made public, JPM CEO Jamie Dimon discussed the company’s plans to double their security budget and hire even more members for their security team. As of the 2013 Annual Report, JPM was reporting a $250 million security budget, with a staff of 1,000 people, so it would seem that JPM is looking to increase that budget to $500 million, and adjust its staffing accordingly.

However, JPM’s current plan fails to identify one of the key issues behind the breach. As discussed by Bloomberg, JPM has been undergoing a tremendous amount of turnover in their tech staff. As the breach began in June, JPM had only recently filled their head of information security position, which had been vacant since March. JPM’s co-COO and CIO had also recently left the company, along with several other high level technical staff members, leaving a massive knowledge gap concerning JPM’s systems and security programs.

With such high turnover, it shouldn’t be a surprise that attackers were able to take advantage of the relative chaos at JPM to exploit weaknesses in their security for several months. In fact, JPM has disclosed that the breach was only detected as part of a routine scan, several months after it began occurring.


What Can We Learn?

High turnover is a constant in tech industries, especially security. However, companies need to find the best ways to mitigate the effects of turnover on their operations to alleviate the threat of breaches such as what occurred at JPM. While no one outside of JPM can know exactly how JPM handles this, here are a few key methods for minimizing the impact of turnover in your security efforts.

Lesson 1: Focus on the Retention of High Level Employees

As discussed, the loss of key high level employees at JPM left large gaps that were not easily filled. These high level employees often have intimate knowledge of the proprietary security programs and technologies used by companies, and replacing them is never easy. Methods for increasing retention vary from providing long term contracts to increasing buy-in, but no matter the method, the retention is key.

Lesson 2: Create Succession Sharing Plans

Even with a focus on retention, some employees will eventually leave any company. To prepare for this, companies should work on creating succession sharing plans as soon as possible. Succession sharing plans often start with thinking of jobs as roles, instead of as people. Though this kind of thinking is common in a lot of jobs, often security roles are less defined, due to many people outside of security departments having less of an understanding of what good security requires.

These plans then help document both the knowledge and skills needed for a particular role within a company, and ensure that if people leave, the company isn’t left lacking without them. According to researchers, succession sharing plans should include:

- Selecting and training of a designated successor.

- Developing a strategic plan for the company/department after the succession.

- Defining the role of the departing person.

- Communicating all decisions to key stakeholders.

Though these types of plans are most often reserved for CEOs and family run businesses, incidents like the JPM breach have shown that these kinds of plans are incredibly important for security professionals.

Lesson 3: Train Better, Not Hire More

In the security field, the incredible demand for security professionals has been increasingly met with a distinct lack of knowledgeable people looking for jobs. With JPM doubling its security budget, they will probably be looking to hire new staff, but finding that staff is going to be a problem. To alleviate this, companies are focusing on building the skills and abilities of the people they have, instead of augmenting their staff with new people. When combined with the retention efforts discussed above, education can provide a great return on security dollar investment.

Lesson 4: Augment Security Efforts with Outside Staff

With a core team of highly educated security professionals in place, the lower levels of security can often be outsourced to companies that specialize in information security, offering several advantages, including:

1. External security companies bring added outside experience to the table. For example, penetration tests are a common part of any security effort, but a team that only performs pentests on one company’s systems may not be as skilled as an outside tester who works on several hundred in a year.

2. External security companies handle turnover problems on their own. As long as the internal high level technical staff remains relatively consistent, an external security company will handle the constant turnover that is often a problem when maintaining a security staff.

Due to these advantages, the use of external companies can often bring a better return on security dollar investment compared to hiring new people or even educating current staff. Even for companies as large a JPM, bringing in external security assistance can help bolster their otherwise strong efforts.

In addition to handling the lower level security efforts, external security companies can often guide clients in the creation of their own security teams. External companies often have in-depth knowledge of industry best practices and the roles and requirements of a security team. Hiring an external company to build a security team can ensure the effectiveness of a team while reducing the time and resources needed for development.


Proactive Versus Reactive

The core takeaway from all of these lessons is that a strong security program needs to be proactive in every practice, not reactive. Though a proactive methodology has long been a part of most companies’ security postures, this type of thinking often doesn’t extend to how companies manage their security personnel. In security, the balancing of people, processes, and technology is often lost, with many resources devoted to technology, and not enough devoted towards developing and retaining people. The constant turnover among security professionals means that no company can afford to not plan ahead, or the risk of a breach like JPM suffered becomes that much higher.