The Situation Report: VA’s Never-Ending IT Shuffle, and a Bad Start for InfoSec Week

On Tuesday, May 5, 2015, the United States Senate Committee on Veterans' Affairs held hearings on pending nominations of Dr. David J. Shulkin, Nominee to be Under Secretary for Health, U.S. Department of Veterans Affairs, and LaVerne H. Council, Nominee to be Assistant Secretary of Veterans Affairs for Information and Technology, U.S. Department of Veterans Affairs. (VA Photo/Robert Turtil)

On Tuesday, May 5, 2015, the United States Senate Committee on Veterans' Affairs held hearings on pending nominations of Dr. David J. Shulkin, Nominee to be Under Secretary for Health, U.S. Department of Veterans Affairs, and LaVerne H. Council, Nominee to be Assistant Secretary of Veterans Affairs for Information and Technology, U.S. Department of Veterans Affairs. (VA Photo/Robert Turtil)

VA CISO Watch

The Situation Report has learned that Department of Veterans Affairs CIO LaVerne Council has ordered VA CISO Brian Burns to “redirect his exclusive focus on VA’s role in the Interagency Program Office (IPO).”

“To meet our goal, we must have a dedicated, focused leader for interoperability,” Council wrote Wednesday in an email to staff obtained by The Situation Report. The agency certified interoperability with the Defense Department on April 8 in accordance with the requirements spelled out in the 2014 National Defense Authorization Act. “Brian’s prior work in the IPO combined with his extensive experience in clinical and health technology reaffirm that he can provide that focus and help guide our efforts beyond the certification, beyond VistA 4, and provide a framework for Veterans today and in the situation report logofuture.”

Council has also tapped Ron Thompson, the former executive director of IT infrastructure and operations for the Department of Health and Human Services who late last year became Council’s Principal Deputy Assistant Secretary, to serve as interim VA CISO.

“To ensure continuity in our information security program, Ron will serve as the interim Chief Information Security Officer (CISO), giving us the opportunity to renew our search for a permanent, long-term CISO,” Council wrote. “The tenet of fully resourcing our cybersecurity efforts must be consistent–our Office of Information Security must have a singularly focused leader.”

Off to a Bad Start

VA kicked off its 2016 Information Security and Privacy Awareness Week (ISPAW) Speaker Series on Monday, but a stellar event it was not. Multiple human sources debriefed the Situation Report on the event, which took place via online chat and telephone dial-in. The most glaring problem with what seems like an important initiative for an agency that has been constantly dogged by security lapses was the absence of LaVerne Council. Although scheduled to provide the keynote, Council canceled her appearance at the last minute for unknown reasons. Tina Burnette, executive director of the Field Security Service, filled in for Council.

The theme for the week, according to Burnette, is enterprise cyber strategy.

The Situation Report analyzed multiple reports from the call and discovered that only about 100 VA employees joined the session. Only four VA employees were brave enough to ask questions, even though many of the agency’s information security leadership was available to answer questions. One question, however, was particularly instructive: “Where does the process of information security start?” a VA employee asked.

A speaker identified as Randy Ledsome (unconfirmed), VA’s director of Field Security Service, tried to answer the question, but somebody had put their call on hold and the hold music temporarily interrupted the call. Once that was cleared up, Jackson made an attempt at an answer. “I think this gentleman had a very complex question,” Jackson said. “It starts with having a program. One of the things we’ve done for the [Information Security Officers] we’ve put together what we call the ISO Reference Guide, and one of the things we laid out in there was a problematic—a programmatic—approach to dealing with our programs.”

The question-and-answer portion of the call went on for another 30 minutes, ending with a long, awkward interruption by a Spanish speaker who did not have his phone on mute.

Dan Verton
About Dan Verton
MeriTalk Executive Editor Dan Verton is a veteran journalist and winner of the First Place Jesse H. Neal National Business Journalism Award for Best News Reporting -- the highest award in the nation for business/trade journalism. Dan earned a Master's Degree in Journalism and Public Affairs from American University in Washington, D.C., and has spent the last 20 years in the nation's capital reporting on government, enterprise technology, policy and national cybersecurity. He’s also a former intelligence officer in the United States Marine Corps, has authored three books on cybersecurity, and has testified on critical infrastructure protection before both House and Senate committees.
10 Comments
  1. Anonymous | - Reply
    It was Randy Ledsome, not Randy Jackson.
  2. Anonymous | - Reply
    Burns was bounced for his abusive and increasingly bizarre behavior towards his staff who were moving as one group to file a hostile work environment complaint. Under his "leadership" over 100 ATOs have been allowed to lapse with no realistic plan in place to address the problem in the foreseeable future. all this on the verge of the FISMA audit. oops.....
  3. Anonymous | - Reply
    Don't blame Burns for the ATO issue. The ATO is the responsibility of the system owner. If the system owner does not do their job it's their fault.
  4. Anonymous | - Reply
    The SO had them ready and he refused to sign demanding 100% perfection with zero risk acceptance total abdication of his role and jeopardize mission when DoD was cutting its feed off because he was too afraid
  5. Anonymous | - Reply
    If VA ever wants to turn around its security posture it needs a person like Burns who is supported by the top to bring change. Yes Burns does demand perfection and explanation for variance and he may not be the AO VA wants, but he's the AO VA needs and deserves. How many CISOs has VA been through in the past 10 years... clearly the issue is more systemic than just Burns.... Jerry Davis claimed he was forced to sign ATOs "under duress." Lets not kid ourselves, VA is in bad shape and until the organization is willing to embrace a goal of excellence it will never change.
  6. Anonymous | - Reply
    Mr. Burns
  7. Anonymous | - Reply
    Mr. Burns is not a leader. He has no Business being an SES for any Federal Agency let alone VA. He had no ability other than to throw tantrums and sit in his office all day with the door closed. He had very good SMEs reporting to him, but refused to listen to them correctly or seek their advice on their area of expertise. I am sure if you look at his past work history at the other agencies in which he was employed, his record will show the same behaviors. Just a bad person all the way around. The moral in OIS was so low during his short tenure. He has no ability to be introspective. He wasn't moved because he did a good job. I feel bad for the folks that will be working for him now.
  8. Anonymous | - Reply
    Tantrum is the perfect word to describe his "management" style and the previous poster is spot-on that he's got a long history of being run out of several other agencies with a foot up his ass. If Brian Burns is the "answer" it has to be a pretty stupid question...
  9. Anonymous | - Reply
    We must fix this soon
  10. Anonymous | - Reply
    So, any progress that's not fabricated? In the midst of the complete cluster that is another complete overhaul of the system, Laverne sits back and fiddles. The good news is the VA won't have to put up with Laverne much longer, the bad news is IT will suffer more criticism from every non-IT entity as the next CIO does their complete transformation. In this case it'll be a good thing because Laverne has proven how incompetent she is when it comes to organization building. My goodness, the lady can't even direct her staff to run a decent all-hands call. But I'm sure she'll tell somebody that she had a call, so that box was checked. And she can't leave soon enough, this cloud crap she's pushing for her next job is the worst thing any VA CIO has pushed. The next three months can't go by fast enough for the thousands of staff who are victims of her plan to secure a future on the talking circuit. Bye Laverne, we won't miss any part of you. And take your useless staff with you.

Leave a Reply


Archives