Kurt DelBene, chief information officer (CIO) at the Department of Veterans Affairs (VA), said today that his agency is not spending enough on cybersecurity, and would benefit from being able to pay higher salaries in order to recruit and retain cyber experts.
At the 930gov conference and tradeshow hosted by the Digital Government Institute, DelBene explained that when it comes to the VA’s budget, “cyber is an important responsibility” that could benefit from more funding.
“We’re not spending enough,” DelBene said. “These folks that are experts… are very expensive. And the salaries we have in the Federal government make it very challenging to bring these people on full-time. We would love to do that.”
“We’re pushing hard on getting those salaries up to be at the right place,” he continued. “But it also means we’re going to have to use contractors and that just means we’re going to have to spend more money on cyber.”
DelBene said that oftentimes, people believe that because they have cybersecurity procedures in place, their systems are secure. However, he warned that organizations must remain agile and hire quality cybersecurity engineers, as “adversaries are getting much better.”
“The processes in the VA are incredibly complicated and complete in terms of quote-unquote, ‘assessing our cyber readiness.’ That’s a good thing. We also have defense in depth from multiple dimensions, which is a good thing as well,” he said. “It can’t take the place of having great cyber engineers looking at a particular system – for instance, at an ATO – and saying, ‘do I believe this is a secure system?’”
One of the transformations DelBene is trying to drive at VA is to ensure there is a security checkpoint. While cyber procedures and tools are great, DelBene said there has to be some sort of checkpoint, “whether it’s FITARA or the ATO process,” before putting systems on the network.
“There’s nothing more important than cybersecurity. And it sounds like a platitude, it’s not,” he said. “And so just getting people to understand that even before that next feature, being secure is what’s more important… and that is a transformation.”
DelBene also said that he is “a firm believer in zero trust,” and is currently focused “a great deal” on the VA’s zero trust roadmap in order to think holistically about his agency’s cyber posture.