The Situation Report: VA’s Never-Ending IT Shuffle, and a Bad Start for InfoSec Week

On Tuesday, May 5, 2015, the United States Senate Committee on Veterans' Affairs held hearings on pending nominations of Dr. David J. Shulkin, Nominee to be Under Secretary for Health, U.S. Department of Veterans Affairs, and LaVerne H. Council, Nominee to be Assistant Secretary of Veterans Affairs for Information and Technology, U.S. Department of Veterans Affairs. (VA Photo/Robert Turtil)

VA CISO Watch

The Situation Report has learned that Department of Veterans Affairs CIO LaVerne Council has ordered VA CISO Brian Burns to “redirect his exclusive focus on VA’s role in the Interagency Program Office (IPO).”

“To meet our goal, we must have a dedicated, focused leader for interoperability,” Council wrote Wednesday in an email to staff obtained by The Situation Report. The agency certified interoperability with the Defense Department on April 8 in accordance with the requirements spelled out in the 2014 National Defense Authorization Act. “Brian’s prior work in the IPO combined with his extensive experience in clinical and health technology reaffirm that he can provide that focus and help guide our efforts beyond the certification, beyond VistA 4, and provide a framework for Veterans today and in the situation report logofuture.”

Council has also tapped Ron Thompson, the former executive director of IT infrastructure and operations for the Department of Health and Human Services who late last year became Council’s Principal Deputy Assistant Secretary, to serve as interim VA CISO.

“To ensure continuity in our information security program, Ron will serve as the interim Chief Information Security Officer (CISO), giving us the opportunity to renew our search for a permanent, long-term CISO,” Council wrote. “The tenet of fully resourcing our cybersecurity efforts must be consistent–our Office of Information Security must have a singularly focused leader.”

Off to a Bad Start

VA kicked off its 2016 Information Security and Privacy Awareness Week (ISPAW) Speaker Series on Monday, but a stellar event it was not. Multiple human sources debriefed the Situation Report on the event, which took place via online chat and telephone dial-in. The most glaring problem with what seems like an important initiative for an agency that has been constantly dogged by security lapses was the absence of LaVerne Council. Although scheduled to provide the keynote, Council canceled her appearance at the last minute for unknown reasons. Tina Burnette, executive director of the Field Security Service, filled in for Council.

The theme for the week, according to Burnette, is enterprise cyber strategy.

The Situation Report analyzed multiple reports from the call and discovered that only about 100 VA employees joined the session. Only four VA employees were brave enough to ask questions, even though many of the agency’s information security leadership was available to answer questions. One question, however, was particularly instructive: “Where does the process of information security start?” a VA employee asked.

A speaker identified as Randy Ledsome (unconfirmed), VA’s director of Field Security Service, tried to answer the question, but somebody had put their call on hold and the hold music temporarily interrupted the call. Once that was cleared up, Jackson made an attempt at an answer. “I think this gentleman had a very complex question,” Jackson said. “It starts with having a program. One of the things we’ve done for the [Information Security Officers] we’ve put together what we call the ISO Reference Guide, and one of the things we laid out in there was a problematic—a programmatic—approach to dealing with our programs.”

The question-and-answer portion of the call went on for another 30 minutes, ending with a long, awkward interruption by a Spanish speaker who did not have his phone on mute.