Veterans Affairs
I would say...that I’m probably a little...I don’t want to say unaffected by it, but I’m not hair-on-fire about it. They have constituents that we touch. My objective is to make sure they have the most accurate information probable and possible.
I would tell any other private person to realize this is just keeping another constituent up-to-date as to what you’re doing and being open about it.
The political aspect is different, though.
It’s funny. I can clearly say that, when I put the staffers and everyone in the same room, I can’t tell what political party they’re associated with. I really can’t. Maybe I don’t want to [laughs], or maybe it’s not as important to me as shar- ing the information. That’s probably it. I really try to make sure they understand what our strategy is.
I really want them to understand what it means to the people, to the process, to what kind of technology we’re using. I want them to understand how we’re leveraging the resources that they’ve been willing to advocate on our behalf for. They generally want to know what they can do to help.
Do you think you are getting what you need from Congress?
At this point, yes. When they ask, I do tell them what I think. I think there needs to be some different flexibility and some different ways to hire, to engage and to compen- sate for some of the skills that we’re asking for. The com- petitive landscape in IT is aggressive, and we need to be able to compete on some levels. It’s hard — harder than it should be. They understand that.
Does working with lawmakers and staffers who are not necessarily tech-savvy make your job harder?
The majority of the time, because I consider myself a busi- ness leader who represents technology, I talk about tech- nology in a business way. That way I can communicate with you. If I start talking bits and bytes, what’s the point? That’s not really what they’re interested in. What they’re interested in is the outcome.
If I’m talking technology to you, I’m not doing my job. This is really a business process just like every other busi- ness process that happens to leverage technology.
Cybersecurity
The first Federal Information Security Management Act report of your tenure came out recently.The headline is, “Material Weaknesses Remain”. What are your next steps?
The FISMA report wrapped in May, about two months before I was confirmed. But the big thing that I always
look for in any kind of audit like that is repeat issues. The conversation I’m having with the team and the leadership as we go through this next cycle of audit is, “Guys, come on. We can’t have repeat issues. Why are these repeat issues? Why aren’t we addressing [them]? What’s going on? Is it funds? Is it scale? What is the issue?”
We’re really going head-on at it. I think with the five new leaders who have been added, they’re putting fresh eyes on it. They have expectations that are the same if not more [focused] than mine, and I think we’re going
to see some differences this year. We have to. This is a serious matter, and we take it that way. I wish there were some surprises that were positive, but everything that was [listed among the security weaknesses] we had in our cyber strategy and more so.
Thirty percent of our material weaknesses will be closed this year, 2016 [and] the rest by the end of 2017. We’re going to stay focused. The entire team has this as a core goal. Every single leader has this as a core goal. We’re going to do what we have to do to change it. It’s not just changing it for the report’s sake. It’s changing it for security’s sake. We’ve got to do it.
On the funding front, are you getting what you need?
The thing that I know having done cybersecurity now for almost 20 years is that you can’t always be sure you’ve got it exactly right until you go through an execution cycle. What I mean by that is upgrading the things you really need to upgrade, figuring out what is causing some pain that has sometimes nothing to do with security but could be an input or could be something you want some- one to have.
In our case, [consider] two-factor authentication and really driving the use of the [personal identity verifica- tion] card. To use the PIV card, you’ve got to have good processes. You’ve got to have good application software to do that. You’ve got to have good background technol- ogy to do that.
We look at these dollars as ways to help to make sure that all those things are happening, not just what you would call normal cyber, but all the things that give you good health, what I call good housekeeping as it relates to security.
As it stands right now, I figure the cost of this is enough, but if it’s not, we will adjust when we get our second bite on the fiscal 2018 budget. But I see this investment as something where you go up and sort of level out. [The current requested increase] is our going up to level out. If we have to continue year over year over year to ask for the same amount, you’ve got to ask a tough question: What’s happening outside of us, or what aren’t we doing? n
26 May 15, 2016 FCW.COM