VA CIO: Zero Trust at the Core of Agency’s Vision, Security-Focused Workforce

The Department of Veterans Affairs is taking its cybersecurity posture to the next level by enhancing its mission-first vision and building a dynamic workforce.

This mission-first mindset has been a prominent guiding force for the agency’s modernization efforts that include initiatives like electronic health record modernization, PACT Act-related benefits and payout expansions, and bridging the digital divide. Now faced with critical directives around cybersecurity, VA Assistant Secretary for Information and Technology and CIO Kurt DelBene is honing in on integrating zero trust.

“I’m a very big proponent of Zero Trust. I was at Microsoft when I got my hands around doing this internal transformation, and I said what’s the theme I should be talking about with what our investments around security are?” DelBene said during GovCIO Media & Research’s CyberScape: Zero Trust event. DelBene said that’s zero trust, “not because it’s a set of products, but because it’s a framework for thinking about security.”

DelBene said key to VA’s zero trust journey will be its increased focused on integrating its principles within the workforce.

“We reworked the team and set a vision of being vision oriented, having great execution operational rigor, security rigor and focusing around a delightful end-user experience,” DelBene said. “Then finally people excellence and making sure we have a great workforce and that they are paid appropriately, it’s really about anchoring on those fundamental pieces.”

DelBene acknowledged zero trust as a powerful framework for security. If it’s implemented well in an organization, he said, people should know the key aspects inside and out. He believes security should be a part of an employee’s passion and how they think about everything that they do at an agency.

“First thing we should do is get a workforce that fundamentally believes security is the most important thing,” DelBene said. “The people driving your system need to have a sense of what zero trust means to them. Designers and developers have to have that inherent thought that security is at the core of what they do.”

Like the rest of the industry and government more broadly, pay has been a longstanding concern for recruiting and retaining technical talent. This is something DelBene also feels is important for the VA workforce.

“The pay that we have relative to the people in industry is a big difference. We have spent time quantifying that difference and working with [the Office of Personnel Management] to create salary grades that are actually closer to reality,” DelBene said.

DelBene is working to address other challenges within specifically the veteran workforce around hiring authorities. Many people who come off active duty pursue cybersecurity as a personal passion, for example.

“In many cases we find a great person, but we don’t have direct hiring authority, so they get put into a pool of people and we have to interview multiple people even when we know certain candidates are qualified and we want to bring them on directly,” DelBene said.

Over the next year, VA is working on an internal roadmap for implementing zero trust also using a zero trust scorecard.

“Another great thing about zero trust is you can create a scorecard of measures that kind of define how close you’re getting toward what you think your nirvana looks like,” DelBene said. “We also need people to be inherently thinking first from a perspective of vision and how the roadmap connects to a vision that’s in terms of the outcome for vets, their families and caregivers.”