CISO Lynette Sherrill outlines how the agency is using a zero trust mindset at the heart of the agency’s cybersecurity approach.
Lynette Sherrill, CISO, VA. Graphic: GovCIO Media & Research
In an environment where increased phishing attempts and ransomware threats continue to grow, federal government agencies have taken on new strategies to bolster their cyber posture. For the Department of Veterans Affairs, this is taking shape in its “Zero Trust First” strategy — a plan that outlines a robust framework that puts identity management, automation and continuous improvements at the forefront.
Heading this effort is VA CISO Lynette Sherrill, who took on the role in a permanent capacity in September. She discussed more behind the strategy, what that means for veterans, agency partners and the cybersecurity community overall.
How is VA using federal cybersecurity requirements and legislation to inform its cyber strategy?
Sherrill: For VA, we have been using the recent legislation to strengthen our cybersecurity all throughout fiscal year 2022. We made some significant advancements with deployment of endpoint detection and response capabilities.
We also implemented and improved our security vulnerability management program. We have more than 93% of our vulnerabilities managed on our network, well above the industry standard of about 70%. We’ve enforced multi-factor authentication with 96% of our end user community.
The National Defense Authorization Act banned certain devices on federal networks. We’ve been able to accomplish removing 80% of those devices, and the ones that are still left on our networks are completely isolated, so they have they can have no impact on our network. Then we’ve also continued to modernize and improve our cybersecurity strategy all throughout fiscal 2022.
As the threat landscape continues to change and expand, how is VA taking an agile approach to ensure the protection of VA and veteran information?
Sherrill: Zero trust is really at the heart of our cybersecurity strategy. What that means is we enforce strong identity verification. For every end user on our network, we know who they are and where they’re authorized to go. We also ensure that the devices that are connecting to our network are healthy, meaning they haven’t been compromised, they have all the latest patches and security configurations.
We’re currently deploying telemetry and advanced algorithms to be able to detect attacks faster and isolate them in a more automated way. We’re also enforcing least privilege access. With the size and scope of VA, it’s difficult, but we work to ensure all 580,000 people that have accounts on our network only have the level of privileges necessary to do the job they need to do.
Assuring the health of our IT supply chain is also a top priority. Legislation, as well as advancements in supply chain risk management, have become one of the new cyber venues, if you will, that we all must pay attention to. For us, we’re really planning for and preparing for a breach or an incident and making sure our teams know how to respond.
Those are just the core tenets. My mantra with the team lately has been, “If we have an event, or even if we hear of an event that’s happening in industry, we take that, we bring it into our environment, we try to learn from it so that we are more secure on the on the other side.” Let’s constantly be learning and improving everything that we do today, so we’re more secure than we were.
How is VA enhancing cybersecurity through partnerships and information sharing?
Sherrill: It’s a team sport. Clearly, we have to always be latched in with our business partners because we certainly don’t want to ever deploy cybersecurity that impacts the ability to deliver care to veterans.
That can easily happen. Because with cybersecurity tools, we have the ability to shut systems down and prevent network access. We don’t want to do that. We have to take a risk-based approach. We have to understand the level of risk and how to mitigate that risk to an acceptable level to allow operations to continue.
Everything brings risks. We all make risk-based decisions as we go throughout our day, and it’s really just partnering with those business partners to have those conversations. Also, we’re partnering across federal government to understand the current threat landscape, so that we’re all stronger together.
Moving forward, what do you see as VA’s top cyber threats, and what will you do to proactively combat them?
Sherrill: I don’t think that VA cybersecurity threats are different than anyone else’s. We’re taking an industry standard approach to them. The top cyber threats in health care, finance and even the federal government are phishing, web-based attacks to deliver malicious code, and we continue to see ransomware attacks all around the health care industry.
We’re challenging our teams to find out what the indicators of compromise are, find out how that happened, and figure out how we make sure they won’t happen again, and that we are as secure as we possibly can be against that.
As we see those cyber threats, we’re really trying to take on the stance of “let’s double check everything again, let’s go through and do an audit and recheck those elevated privileges, recheck all those workstations and make sure that we’re as secure as we think we are.”
Then to combat it, it’s thinking about what can we do, what can we do more? Then, just ever-evolving our security detection and response capabilities to continuously improve and challenge ourselves to protect ourselves better. How do we automate that? Those are some of the ways that we’re trying to combat our top cyber threats at this point.