Page 17 - CARAHSOFT_August/September
P. 17

There is no silver bullet, and tools that
do not communicate or integrate easily can add complexity and slow incident response.
at its many office and medical locations throughout the United States. The establishment of the ECSP represents VA’s shift from a reactive, task-oriented model to a proactive model.
The ECSP allows VA to identify and prioritize risks at the enterprise level rather than simply responding to single events. The new, proactive model also utilizes federal best practices such as the RMF and CSF, which ensures that guidance is authoritative and easy to understand and aligned with the common rubric utilized by the rest of the federal government.
What’s on your wish list in terms of emerging technologies, and what pos- itive and negative effects could they have on VA’s security posture?
VA will always have to weigh the benefits of new technology against potential
risks, as well as any impact that emerging technologies may have on patient care. These capabilities span the spectrum of process, people and technology, and ensure VA is constantly on a path to improve our cyber capabilities.
For several years, VA has been participating in the Department of Homeland Security’s Continuous Diagnostics and Mitigation program. This program is an integral part of VA’s ECSP and provides ongoing awareness of VA’s information security posture, vulnerabilities
and threats to support organizational risk management.
Further, we are exploring the positive benefits artificial intelligence can bring to strengthen our cybersecurity posture. We are also looking to understand the implications of quantum computing, cybersecurity automation and data loss prevention.
What role do employee policies and cyber hygiene play?
Cybersecurity has become part of the daily ritual for VA personnel. It only takes a single point of entry for a hacker to gain access
to VA devices and systems. Something
that seems small and innocent could potentially lead to devastating effects on our government’s cyber infrastructure and, more specifically, our nation’s veterans and their families.
Our personal identity verification technical enforcement provides encrypted identity verification of everyone on the
VA network, enhanced with two-factor authentication for every user. VA provides cybersecurity training for all employees and promotes federal events, such as National Cybersecurity Awareness Month, to reinforce our shared responsibility to keep veteran data safe.
VA has over 300,000 employees, and cybersecurity is everyone’s responsibility in today’s environment.
If you were to write a guidebook for other agencies, what lessons would you include?
When VA began its modernization, we struggled to bring the right people together to address cybersecurity needs.
We have learned how to correctly identify and engage the right stakeholders as we modernize our cyber capabilities and will use the team we now have in place to shape our policy and strategy moving forward.
One lesson learned is our employees can be a weak link when they unknowingly click on malicious links or browse malicious websites and consequently download malware.
In a guidebook for other agencies, it
is important to convey that traditional manual approaches to cyber defense are no longer sufficient, so automation is critical in incident response.
There are myriad tools from different vendors that can be deployed, but there
is no silver bullet, and tools that do not communicate or integrate easily can add complexity and slow incident response. We should strive for predictive networks that can automatically detect and isolate new attacks, then self-heal to prevent similar future attacks.
Finally, agencies need to work together and combine our strengths to defeat adversaries.

   13   14   15   16   17