VA Leaders: Compliance and Security Need to Combine to Mitigate Cyber Risks
The “huge” cyber skills gap also needs to be addressed between the public and private sectors to keep systems safe.
Department of Veterans Affairs leaders are ensuring that compliance is going hand in hand with risk management in order to beef up cybersecurity systems at their inception.
VA CISO and Deputy Assistant Secretary of Information Security Lynette Sherrill said at Rise8’s Prodacity event that public servants need to be educated on what risk looks like within their systems beyond a “checklist exercise,” and that part of solving the problem involves hiring skilled cybersecurity employees who can sort technical risks from compliance risks.
Sherrill added that the gulf in cyber skills between the public and private sectors needs to be bridged in innovative ways.
“We’ve got a huge cyber gap in the entire industry. We’ve got to figure out how do we get more people into cybersecurity. We’ve got to use non-traditional hiring methods, non-traditional people and get them interested in cybersecurity. We’ve got cybersecurity people leaving cybersecurity industry because of burnout,” Sherrill said. “We’ve got to figure out ‘How do we fill that pipeline back up,’ inside cybersecurity as a whole.”
Doing More With Less
Though the VA and other federal agencies will always operate in a “constrained resource environment,” Sherrill said, the agency must focus on trying to automate as much of its processes as it can while retaining human oversight over sensitive and critical decisions.
Deputy CIO and Product Engineering Service Carrie Lee said at the event that keeping up with the security of thousands of systems is demanding of her time, and that she “really need to understand the security of the system I’m looking at, at the time I look at it. The assurance of having those automated controls in place and understanding that technical risk posture instead of just a compliance is very important to me, from an authorizing official perspective.”
Security is Part of Everything
Lee said one of the most surprising cultural changes at the VA under her tenure is that “developers don’t mind doing security, it becomes part of just their regular work.” Lee added that part of the reason she joined the agency was to lead this cultural change.
“One of my passions has always been building security in from the start, instead of tacking it on at the end by filling out a bunch of compliance paperwork,” Lee said.
Sherrill said that even though security is a now critical part of VA operations, the agency can’t do the work alone.
“We have to remember partnerships are everything, that none of us can do this in a box, and we cannot do it alone,” Sherrill said. “We have to reach across the entirety of the organization and make sure that we’re partnering with people, and that we’re open to those new ideas and new ways of doing it.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Trump's Intelligence Pick Backs Cybersecurity, Tech Accountability
The former congresswoman has called for improving cyber defenses and advocated for accountability in federal tech and data practices.
2m read -
DHS Leads Government’s Largest Civilian AI Hiring Effort
On this AI GovCast miniseries, Boyce discusses his journey to the agency with his prior roles at the Office of Management and Budget.
15m listen -
Federal IT Trends in 2024, Outlook for 2025
Federal IT advancements in 2024 showcased the transformative potential of emerging technologies, particularly artificial intelligence.
2m read -
Trump's FBI Pick Calls for Increased Cyber Resiliency
Trump's pick for FBI Director Kash Patel has expressed his plans for bolstering the nation's cyber resiliency if confirmed by the Senate.
3m read