EMERGING CYBERSECURITY
     EXECUTIVE VIEWPOINT
A Conversation with
DOMINIC CUSSATT
  DOMINIC CUSSATT
CISO, Department of Veterans Affairs
The chief information security officer at the Department of Veterans Affairs talks about how VA is creating a resilient cybersecurity ecosystem
How do you prioritize where to focus VA’s cybersecurity resources?
In alignment with Executive Order 13800, VA established the Enterprise Cybersecurity Strategy Program (ECSP), which uses an enterprise-level approach to determine
risk and prioritize programs and resources. The ECSP creates a proactive approach
to manage cyber risk at VA and institute
a transparent program that spans from government statutory requirements to the information system level.
By leveraging federal best practices such as the Risk Management Framework (RMF) and Cybersecurity Framework (CSF), VA can assess risk and make informed decisions regarding systems and resources.
The ECSP is a holistic program that enables VA to identify risks at the earliest point possible and make prioritized, defensible decisions related to cybersecurity activities, providing the department with the means to create a resilient cybersecurity ecosystem.
VA’s cybersecurity successes include blocking 1.5 billion malware attempts from 2015 to 2017, achieving 100 percent enforcement of two-factor authentication for privileged users and blocking 75 billion malware attempts on VA systems in 2017. How have you achieved those successes?
Protecting veteran data is one of the top priorities at VA. As the largest integrated health care system in the United States, VA has the challenge of enforcing security standards in clinical settings as well as in traditional office environments.
While two-factor authentication is an important security policy, VA recognizes that educating individual users is equally
important. Creating a culture of security and personal responsibility has resulted in heightened awareness at all levels.
How do you avoid complacency and stay ahead of threats in today’s ever-changing cyber landscape?
VA knows that our security technology is only as good as the people who run it. At the enterprise level, VA continuously monitors the threat landscape and then infuses the latest and greatest technologies into our environment to mitigate threats and stay one step ahead of the adversary. We focus on being proactive, not reactive.
We also stay ahead of threats by sharing information and lessons learned with other agencies. From this perspective, VA is persistent in its approach to pursue state- of-the-art technologies — such as advanced behavioral analytics, endpoint detection, and security information and event management
— to provide pervasive and ubiquitous awareness of our posture in real time.
Realizing that the operational capabilities need to be aligned with knowledgeable
staff, we recently created the Office of Cybersecurity Workforce Management
to address the critical need of acquiring, developing and retaining the skills of our cybersecurity workforce. Advances in technology may lead to more automation
of routine system monitoring, but VA will always need talented cybersecurity personnel to perform high-level threat analysis and keep our systems safe.
Can you describe a particularly diffi- cult cybersecurity challenge and how you overcame it?
VA has struggled in the past to centralize security practices and enforce standards
 S-52 | SPONSORED CONTENT