Cyber Security Top Priority for VA CIO
Hardly a week goes by without news of another security breach affecting millions of citizens and government agencies. Cyber threats continue to grow more sophisticated, and securing customer and consumer data is a challenge many organizations are grappling with. For Steph Warren, CIO of the Department of Veterans Affairs (VA), safeguarding the data the agency holds on Veterans is an obligation he and the agency’s Office of Information and Technology take seriously.
Warren leads the agency around a strategy focused on five key priorities, the first of which is protecting information. VA uses a “defense-in-depth” approach to protecting Veterans’ data, in which administrative, technical and physical security controls are implemented throughout the agency’s systems to provide protection should one control fail or otherwise become vulnerable to exploitation. To secure the vast information network, Warren oversees a staff of 587 information security professionals. Together, these security professionals safeguard 750,000 connected network devices, monitoring 4.5 million emails and 55,000 new malware variants per day. VA has encrypted 100 percent of the 438,394 desktops and laptops on the VA network, removing from the network or fixing unencrypted devices.
VA employs continuous monitor to protect against threats to VA systems and data. VA is one of the first federal agencies to implement continuous monitoring to assess and address the risk statuses of its devices and systems. This includes Trusted Internet Connection (TIC), which improves the agency’s ability to monitor external connections and identify potentially malicious traffic by reducing and consolidating external connections.
In addition to continuous monitoring tools, Warren believes the human element is also important to network security. In a recent press briefing, he told us he authors a series of emails to all staff geared at teaching principles of safe web surfing, both at home and at work.
With identity theft becoming an increasing concern in the wake of high-profile security breaches, VA is committed to educating Veterans about online security. They’ve launched a program called “More than a Number” geared towards educating Veterans and their beneficiaries on how to protect themselves from identity theft. In the past, military service members were accustomed to giving out their social security number within the military as a personal identifier, and this practice may make Veterans vulnerable to identify theft if they accidentally reveal personal identity information. The More than a Number program includes a web portal and call center with educational tools and resources about identity theft protection. VA also provides all Veterans with free credit monitoring, and encourages them to actively track their credit reports to ensure no breaches have occurred.
Other cyber security initiatives the VA has undertaken include enterprise visibility that provides real-time visibility to all devices connected to its network, increased security for remote users and web application security. VA works closely with the Office of Inspector General to ensure full compliance with Federal Information Security Management Act (FISMA) requirements, and has established comprehensive plans of action for each FISMA category. They have also established a permanent project team to maintain their Continuous Readiness in Information Security Program (CRISP) to reinforce the culture of security among VA employees.
With so much focus on cyber security, one wonders what security issues still keep Warren up at night. During our briefing, Warren answered this question revealing his biggest fear is that consumers and Veterans will lose faith in e-commerce amid the frequent reports of data breaches.
“If people stop going to the Internet because they don’t think it’s safe, all the things we’re trying to do to enable delivery of service benefits are going to be impacted. We count on that tool; it is a tremendous saver of resources.” He continued, “If the public loses confidence in whether they can safely do … digital commerce, we’ve got a serious problem because it’s been an engine of innovation and change.. We have got to get our arms around it.”