The problem with such "lessons learned" is that they are usually not lessons learned - I bet there were numerous people within the organization who knew about these issues before the test.
The actual issue is probably that these people are (a) ineffectual at communicating and prioritizing concerns clearly; or (b) good at communicating, but are not being listened to; or (c) they are listened to, but the organization has no practical means to fix this - no money, unable to recruit talent, etc.
Most techies often assume (b), but (a) is at least as common. The last issue - (c) - might be superficially true, although it's usually not correct in a deeper sense: there is plenty of discretionary and wasteful spending in any sufficiently large bureaucracy. Central resource allocation is just a hard problem.
Anyway, my point is that the problems that need fixing are almost never just technical. Recommendations such as "implement sufficient controls to detect malicious activity" seldom get to the root cause. They are still useful in temporarily overcoming organizational obstacles, but it usually doesn't last.
The actual issue is probably that these people are (a) ineffectual at communicating and prioritizing concerns clearly; or (b) good at communicating, but are not being listened to; or (c) they are listened to, but the organization has no practical means to fix this - no money, unable to recruit talent, etc.
Most techies often assume (b), but (a) is at least as common. The last issue - (c) - might be superficially true, although it's usually not correct in a deeper sense: there is plenty of discretionary and wasteful spending in any sufficiently large bureaucracy. Central resource allocation is just a hard problem.
Anyway, my point is that the problems that need fixing are almost never just technical. Recommendations such as "implement sufficient controls to detect malicious activity" seldom get to the root cause. They are still useful in temporarily overcoming organizational obstacles, but it usually doesn't last.