VA Leaders: Compliance and Security Need to Combine to Mitigate Cyber Risks

Department of Veterans Affairs leaders are ensuring that compliance is going hand in hand with risk management in order to beef up cybersecurity systems at their inception.

VA CISO and Deputy Assistant Secretary of Information Security Lynette Sherrill said at Rise8’s Prodacity event that public servants need to be educated on what risk looks like within their systems beyond a “checklist exercise,” and that part of solving the problem involves hiring skilled cybersecurity employees who can sort technical risks from compliance risks.

Sherrill added that the gulf in cyber skills between the public and private sectors needs to be bridged in innovative ways.

“We’ve got a huge cyber gap in the entire industry. We’ve got to figure out how do we get more people into cybersecurity. We’ve got to use non-traditional hiring methods, non-traditional people and get them interested in cybersecurity. We’ve got cybersecurity people leaving cybersecurity industry because of burnout,” Sherrill said. “We’ve got to figure out ‘How do we fill that pipeline back up,’ inside cybersecurity as a whole.”

Doing More With Less

Though the VA and other federal agencies will always operate in a “constrained resource environment,” Sherrill said, the agency must focus on trying to automate as much of its processes as it can while retaining human oversight over sensitive and critical decisions.

Deputy CIO and Product Engineering Service Carrie Lee said at the event that keeping up with the security of thousands of systems is demanding of her time, and that she “really need to understand the security of the system I’m looking at, at the time I look at it. The assurance of having those automated controls in place and understanding that technical risk posture instead of just a compliance is very important to me, from an authorizing official perspective.”

Security is Part of Everything

Lee said one of the most surprising cultural changes at the VA under her tenure is that “developers don’t mind doing security, it becomes part of just their regular work.” Lee added that part of the reason she joined the agency was to lead this cultural change.

“One of my passions has always been building security in from the start, instead of tacking it on at the end by filling out a bunch of compliance paperwork,” Lee said.

Sherrill said that even though security is a now critical part of VA operations, the agency can’t do the work alone.

“We have to remember partnerships are everything, that none of us can do this in a box, and we cannot do it alone,” Sherrill said. “We have to reach across the entirety of the organization and make sure that we’re partnering with people, and that we’re open to those new ideas and new ways of doing it.”