VA Leaders: Compliance and Security Need to Combine to Mitigate Cyber Risks
The “huge” cyber skills gap also needs to be addressed between the public and private sectors to keep systems safe.
Department of Veterans Affairs leaders are ensuring that compliance is going hand in hand with risk management in order to beef up cybersecurity systems at their inception.
VA CISO and Deputy Assistant Secretary of Information Security Lynette Sherrill said at Rise8’s Prodacity event that public servants need to be educated on what risk looks like within their systems beyond a “checklist exercise,” and that part of solving the problem involves hiring skilled cybersecurity employees who can sort technical risks from compliance risks.
Sherrill added that the gulf in cyber skills between the public and private sectors needs to be bridged in innovative ways.
“We’ve got a huge cyber gap in the entire industry. We’ve got to figure out how do we get more people into cybersecurity. We’ve got to use non-traditional hiring methods, non-traditional people and get them interested in cybersecurity. We’ve got cybersecurity people leaving cybersecurity industry because of burnout,” Sherrill said. “We’ve got to figure out ‘How do we fill that pipeline back up,’ inside cybersecurity as a whole.”
Doing More With Less
Though the VA and other federal agencies will always operate in a “constrained resource environment,” Sherrill said, the agency must focus on trying to automate as much of its processes as it can while retaining human oversight over sensitive and critical decisions.
Deputy CIO and Product Engineering Service Carrie Lee said at the event that keeping up with the security of thousands of systems is demanding of her time, and that she “really need to understand the security of the system I’m looking at, at the time I look at it. The assurance of having those automated controls in place and understanding that technical risk posture instead of just a compliance is very important to me, from an authorizing official perspective.”
Security is Part of Everything
Lee said one of the most surprising cultural changes at the VA under her tenure is that “developers don’t mind doing security, it becomes part of just their regular work.” Lee added that part of the reason she joined the agency was to lead this cultural change.
“One of my passions has always been building security in from the start, instead of tacking it on at the end by filling out a bunch of compliance paperwork,” Lee said.
Sherrill said that even though security is a now critical part of VA operations, the agency can’t do the work alone.
“We have to remember partnerships are everything, that none of us can do this in a box, and we cannot do it alone,” Sherrill said. “We have to reach across the entirety of the organization and make sure that we’re partnering with people, and that we’re open to those new ideas and new ways of doing it.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DHS Tabs Cyber and AI as Innovation R&D Priorities
The agency’s plan utilizes AI to better address future threats, secure critical infrastructure and improve workforce efficiency.
5m read -
The Opportunities and Challenges of Securing the 2024 Election
The 2024 presidential election is just under 50 days away, and federal agencies are reassuring voters’ concerns about election security.
4m read -
Advanced Computing Holds Promise for Health Care, Ethical Hurdles Remain
Researchers and government officials are creating policies to improve customer experience nearly a year after President Biden’s executive order on digital experience.
3m read -
Future-Proofing Federal Health IT with Cloud, AI, and Cybersecurity
Industry and government officials are using emerging technologies and strengthened strategies to tackle the top threats in healthcare IT.
15m watch Partner Content