NASA CISO Jerry Davis Moving to the VADavis Tapped as Deputy Assistant Secretary for Information Protection
Davis, who will leave NASA at the end of August, said he accepted an offer from Veterans Affairs on Friday. "Being a veteran myself, I have a personal drive to support the VA mission," Davis said in an e-mail message. "Lots of heroes come through VA and I am delighted to be able to work on their behalf."
Veterans Affairs, the federal government's second largest department after Defense, has been plagued with a series of IT security mishaps, including the exposure of personal information of millions of veterans from a laptop stolen from an employee's home in 2006 and more recent breaches, such as the exposure the personal identifiable information of nearly 4,000 veterans in Texas earlier this year. "These recent data breaches are proof that the VA still has a long ways to go in ensuring our nation's veterans that their most sensitive information is being safely stored and handled," said Rep. Harry Mitchell, the Arizona Democrat who chairs the House Veterans Affairs Subcommittee on Oversight and Investigation.
And as recent as May, the VA's inspector general and the Government Accountability Office reported that the department has yet to get its act together in complying with federal rules to safeguard IT systems, including the Federal Information Security Management Act. "Seven years after FISMA's enactment, we continue to report significant deficiencies with controls supporting VA's information security program, which could have potentially alarming consequences," Belinda Finn, the VA's assistant IG for audit and evaluations, said in testimony delivered to the subcommittee.
Veterans Affairs also confronts IT security issues most other agencies don't: protecting health records of 8 million veterans receiving medical benefits.
Davis said his new bosses at the VA recognize the need to improve IT security. "The leadership at VA is behind the mission 100 percent and they fully understand the role that IT plays in transforming the VA into an innovative organization," he said. "Information security is one of the top priorities at VA and I believe that I can help VA leap frog to the front of innovation by anticipating next generation security requirements and acquiring the proper solutions."
Davis is perceived as one of the more innovative agency chief information security officers, helping lead NASA toward the continuous monitoring of its IT systems and away from the check-box compliance process most agencies follow to comply with FISMA. In an interview posted in June with GovInfoSecurity.com, Davis addressed the cultural changes NASA and other agencies face in reforming its compliance regime. "You are definitely talking about a different skill set," he said. "It is more of an operations type activity versus a compliance activity and what we are doing ultimately is we are operationalizing compliance. There is a little bit more of a technical skill set that an organization will need."
In another interview with GovInfoSecurity.com, posted a year ago, Davis characterized his approach to his job: "I like to think of myself as more as a 'yes' guy, rather than a 'no' guy. Chief information security officers are typically known as kind of the 'no' people. I try to run an organization that is parallel with what we are doing in the offices of chief information officers, which is enabling our customer and our client. We try to be a solutions-oriented environment."
Davis now gets the chance to tryout his approach to IT security in a much larger organization - the VA employs some 300,000 vs. NASA's 18,000 - and a more IT security-challenged venue.