Hindsight is wonderful you may say… but we could have written the Novapay report from prior “lesson learned” with regards to INSIS and former Teachers Pay system implementation. For goodness sake, INSIS is a case study(one of many) in what NOT to do.
Ditto with IT Security. When I was CIO at what was then Ministry of Fisheries we took IT security extraordinary seriously. The Executive Team at the time approved the employment of a full time Security Officer. When I was at SSC as Project Owner of the initial Authentication project ( now morphing into Real Me) a great deal of time and money was spent on a Privacy Impact Assessment.
What I think happens is: people turn over, priorities change, budgets dry up, new Executives make changes and before you know it the institutional knowledge of how to do IT Security audits and Privacy Impact assessments is lost.
Some of the wisest words given to me many years ago was ‘don’t rely on security through obscurity”… just because I cannot see how people can infiltrate systems doesn’t mean it cannot happen.