Transforming Compliance Bureaucracy into Continuous Risk Management
Summary:
Join us for an enlightening Fireside Chat with Lynette Sherrill and Carrie Lee as they dive deep into the transformative journey of the Department of Veterans Affairs. Discover how they redefined compliance bureaucracy into a model of continuous risk management, marking a significant leap in federal government operations. This video is a must-watch for anyone interested in DevOps, GovTech, digital transformation, and the impactful role of leadership in navigating the challenges of continuous Authority to Operate (cATO) within the federal sector.
Transcript:
Rob Monroe (0:16)
For those of you who didn't meet me yesterday, my name is Rob Monroe. I'm a Senior Product Manager for Rise8. For the last almost two years, I've been partnering with the Department of Veterans Affairs where we've established the first ongoing authorization in cATO and federal government history. Thank you, thank you. I want to start off with just a quick intro for myself and like about the topic, and why I'm personally passionate about the VA, and then we'll do some intros for our guests, and we'll get rolling. So I want us to remember a time when John F. Kennedy once praised our Veterans for their bravery and selflessness by saying, "As we express our gratitude, we must never forget that the highest appreciation we can give is not to utter words, but actually to live by them." On any given day, the VA aspires to live by these words in every in-person and digital experience or interaction, with over 9 million veterans, families, caregivers, and survivors, by meeting their needs for healthcare, disability compensation, education, housing assistance, and service record maintenance - all around the world. If that doesn't speak scale and value and meaning, I don't know what else does. Before we get started, I'm curious if we have any Veterans here in our audience today? If you don't mind raising your hand? Excellent. If you don't mind standing, I would actually like for us to all have this opportunity to thank you for your selflessness and service to everyone here in the U.S.. Perfect, thank you. Thank you. I'm very excited about this Fireside Chat on how transforming compliance bureaucracy into continuous risk management is going to be a game-changer for the federal government. As I mentioned yesterday, it takes strong and courageous leadership to succeed in succeeding with cATO. The two leaders I'm about to introduce to you have been critical to the success of our VA Lighthouse Program achieving ongoing authorization. Without their bravery and commitments to take actions by supporting our team's desire to experiment and push the boundaries in how we manage security and privacy, I don't believe that we would've succeeded. So for that, we thank you. Our first guest is the Deputy Assistant Secretary for Information Security and Chief Information Security Officer. With over 18 years of IT and security management experience, working for both the Federal and Municipal governments to operate and defend vital networks and information. She also served the VA as Deputy Director for Field Secretary Service Health Information Security Division. It's a mouthful. She was responsible for establishing, maintaining, and providing oversight for the VA's Medical Device Protection Program. It's a comprehensive security program that encompasses pre-procurement assessments, medical device isolation/architecture, communication training, and security validation. She's been recognized as an industry leader in 2015 when she was awarded the NextGov Bold Award in government innovations. This leader has held network security management information and technology management, as well as security specialist positions throughout her time at the VA. Please give a warm welcome to Ms. Lynette Sherrill.
Lynette Sherrill (3:51)
Good to see you.
Rob Monroe (3:51)
Good to see you. Our next guest is the Deputy Chief Information Officer for VA's Product Engineering Service organization with the Office of Information and Technology. With a focus on building products and delivering unparalleled value to Veterans and those who care for them by leveraging emerging technologies, methodologies, and trends in industry to deliver and enable Veteran-facing digital experiences, this leader encourages the adoption of modern practices that help foster innovative development organizations to deliver products with a clear value proposition and the ability to meet customer needs, do it reliably, and in less time than any other organization. After joining the VA in January of 2019 as part of the Office of Information Security, she also established the VA's first cloud security and FedRAMP authorization program. Her team developed cloud security authorization policies, procedures, and guidelines in alignment with FedRAMP requirements. In addition, she also led the expansion of the VA Health Connect Program, VA's first nationwide clinical contact center that serves over 9 million Veterans and over 30,000 clinical cases a month. Please also give a warm welcome to our Authorizing Official for VA Lighthouse Program, Ms. Carrie Lee.
(5:18)
I know both of you are extremely busy, so thank you so much for giving us some of your time today and coming to speak with this audience. I really appreciate that. I'm going to start with your toughest questions of the day, icebreakers. Given that the holidays are quickly approaching, if I were to invite you and your family to our family's Thanksgiving Day dinner, what would you bring?
Lynette Sherrill (5:43) Do you want to go first?
Carrie Lee (5:44)
Okay, so I would bring my sweet potatoes. They are mashed sweet potatoes with lots of brown sugar, butter, and brown marshmallows on top. Every year at Thanksgiving I have to make multiple dishes of them because everyone wants to eat them for days. My mother-in-law will eat an entire pie pan of it.
Rob Monroe (6:08)
Oh my gosh, my mouth is watering . I'm definitely going to have to ask for you to air-mail me some of that. And, Lynette, how about you?
Lynette Sherrill (6:15)
I make homemade cranberry sauce.
[Rob] Ooh.
Because I never would eat cranberry sauce from a can. It seems very bizarre, right? It has lines on it, it doesn't look real. So I made it my mission to decide how to make cranberry sauce that didn't look like the can. So I make homemade cranberry sauce, and then we eat it on everything for the next like two or three months.
[Rob] Excellent.
Yeah, it's very good on everything, by the way.
Rob Monroe
It's interesting. I have friends who are from overseas that talk about how much sugar we have here in America in our food, and I always joke with them, "Yes, but you've never seen anything like cranberry jam smashed into a can before." "Buckle up."
(7:00)
You know, I was looking over both of you all's career in the easiest place known to man called LinkedIn, and I think that the journey for both of you has been incredible, and I think that we should be continuing to empower women in tech. And I think about you both whenever I make that statement. Lynette, what would you say was your defining moment to pursue the responsibilities of becoming the CISO for the VA?
Lynette Sherrill (7:27)
That's easy. I was voluntold that I would take on this role. No, seriously. But my defining moment in my career is a little bit of a funnier story. I was working for the Department of the Army and I deleted an entire battalion's email server accidentally. And so that's a thing 'cause I was pretty sure with my logic that if a backup system couldn't back up across the network, there was no way it could restore across the network. And I was wrong. It actually could restore across the network, it just couldn't back up across the network. So that caused me a little bit of a problem. So that was when I knew I probably should stay in IT for the rest of my life to fix that problem. So anyway, but for the CISO, it's been an interesting career 'cause I was in operations security, and then back in operations, and I've always been super passionate about operationalizing security. I've never thought that the NIST documents were intended to be put on a shelf and only looked at every three years. I've always saw the intersect of security and operations. So really when Carrie came to me and wanted to do continuous authorization, it really fell right within my passion of operationalizing security on behalf of the VA. So when they asked me to be the CISO, I said, "I don't want to be a policy organization." That's not what I considered to be fun, right? I wanted to make sure that we were going to be able to make a difference, and we were going to be able to really operationalize the super important cybersecurity requirements that we need to be responsible across the continuum of IT, not just in the security office. So when I got the commitment from leadership that they were on board with that, we started the culture change. And this project really was honestly the first project that came to me where I was like, "Yes, absolutely." I think when you guys presented it to me, I was like, "Absolutely, this is the direction we need to go." So that's kind of been that journey.
Rob Monroe (9:38)
That's really cool. I think it's a default of ours to always talk about our successes, but we learn most from our failures. And it's really cool that you can define a moment like this to carry yourself with that passion based upon that rather than letting it like be a defeating moment instead. So I think that's really great. Thank you, Lynette. Carrie, I also have taken a look at your LinkedIn profile and I've noticed, I think, a very specific trend and why it now dawned on me how you became the perfect AO for this situation. Yesterday we had a talk, actually another Fireside Chat, There was a segment that focused on rotations through departments and different roles, and focusing a new mentality around leaving things better than you found it. I was just wondering if you could share with others, who are aspiring to be just as successful as a leader as you are, kind of what your journey has been like and why that was so impactful for you?
Carrie Lee (10:45)
Sure, sure. I think one of the most important things I've done throughout my career is always do something I love. And I just want to talk about Veterans and how grateful I am and honored I feel to be able to serve Veterans in the career I have right now. It's part of what brought me to VA and has really influenced my career choices. So I spent the majority of my career doing cybersecurity, back even from the '90s before cybersecurity was a term. And throughout my career, I've worked in startups, large companies, defense contractors. And then I took some time off to be with my kids, and when I came back I went right back to security, Ended up doing cloud security because I was like, "Well, security is security, but technology has changed. So I'll start with cloud." Because at the time cloud security was a new field, so I felt like it was a level playing field. And when I came to VA we didn't have a cloud security program, so I established that. I made relationships across all of VA. Actually I met Lynette and I was like, "What's it like to be an executive at VA?" And now here I am. And actually it was when I met Lynette, it was at an offsite for the Electronic Health Record Modernization program that we're working on, and I got exposure to the product side of things and all the great things we're doing to support Veterans, and being able to see how the software that's released directly impacts the Veterans experience. And I was like, "Oh, you know, on the security side there's a lot of compliance, you know, technical security work, but over here in this product space you can really see how what you do affects the Veteran." And so I went over there on detail as their Director of Security. And my boss at the time, who's now the Deputy Federal CIO, said, "Hey, we're building this environment, and the outcome I want is for software developed in here to come out with an ATO. Fix that for me." And one of my passions had always been building security in from the start, instead of tacking it on at the end by filling out a bunch of compliance paperwork. So I was like, "Okay, you know, I've seen DOD has done Kessel Run and their software factory effort, you know? Let me go see what they've done over there." We brought some of the expertise in house, and then I partnered with Lynette and her team and we're like, "Okay, let's do this. We're going to make, you know, security a part of our CI/CD pipeline, and our products are going to come out with an ATO." And I got so into the product space and the customer experience space that now I'm actually leading the organization, and the AO over our Lighthouse delivery infrastructure.
Rob Monroe (14:05)
That's awesome, yeah. No, we can't thank you enough for your passion and your previous experiences. 'Cause I, again, I really do think that you were the perfect AO for our initiative. And other AOs should really aspire to live up to your bar, I'm just going to say. I'm going to move us to start on the strategic level of this topic. And, Lynette, I was wondering if you could help me with this one. How would you describe the history of achieving and maintaining an authority to operate for digital products at the VA? From where we've been to where we are now?
Lynette Sherrill (14:39)
So I think everyone in this room probably knows this, right? The FISMA ATO process is very much a compliance-driven process. And we've talked in IT security, especially in the federal space, for years about how do we make it not compliance-based, right? How do we get to, some people say real securities, some people say get away from the largest paperwork drill in Federal Government history? I mean, everyone in this room probably has heard the different adverbs and adjectives used to describe the paperwork drill that became the ATO process. But at the same time, I believe that the core of IT security, across the federal space for sure, was always looking for how do we really move away from that? We've got to get to where this isn't compliance, this isn't a checklist exercise. Because we all knew instinctively that the checklist wasn't getting us better security, right? And so we broke organizations up into, "Oh, we'll make technical security people and we'll make administrative security people, and we'll have some people do the paperwork and we'll separate the paperwork people from the technical people, and that'll make it all work." And we've kind of gone through over these years of these different iterations of how this works. And even in industry today, when you talk to people, it's still a little bit of a mystery. But I feel like with technology and the innovation and the thinking that people have done on this for years, we're kind of at that point where we have that opportunity to make that jump that all of us have really been looking for, into operationalizing that security space. And from a very technical and real way in automating our security controls, and feeding them into our GRC tools, so we don't have manual checks, right? And I know I just jumped like 65 questions down the list and ran right into this, but there's just a space here that we have an opportunity to really grab a hold of and start to operationalize this, but it does take some effort. But I just feel like we're at this point where technology and the want and the need for this all is coming together at the same time because we're always going to be in a constrained resource environment. No one's ever going to have enough IT security people. You're just not. You're never going to have enough technology, you're never going to have enough - enough of all the things we need in cyber. But if we really start to be smart about this, and start to really automate, and start feeding those GRC tools and those security checks directly into that risk profile that we all really need to see, I think we'd get there. And so the journey, again, from paperwork drill, I think we're really on the cusp of making that turn.
Rob Monroe (17:30)
Yeah, that's interesting, Lynette. Before we got on stage we had a conversation about something that I forgot to mention during my talk yesterday, which was, you know, I'm new to Federal Government and this has been a huge learning curve for myself, and I can't imagine what it's like for the rest of us. One thing I've learned or observed at my time at the VA was just how many systems an AO is responsible for.
[Carrie] Yeah.
It blew my mind. So I thought, you know, Carrie, could you maybe describe to us what it's like to be an AO these days, and what's really the driving force behind why we need to do something about this now?
Carrie Lee (18:09)
Okay, so VA is an extremely complex organization, and we are probably the largest IT infrastructure of any civilian Federal agency. We've got like over a thousand ATO systems. As a authorizing official, I think I've got about 400 under me.
[Rob] I'm sorry, 400?
Yeah, so there are a lot, and so it's really hard to keep track of them all - know every, you know, at a single point in time how each system is doing, especially considering all my demands on my time, it's maybe an hour a week I spend, you know, authorizing. And so I really need to understand the security of the system I'm looking at at the time I look at it. So the assurance of having those automated controls in place, and understanding that technical risk posture, instead of just the compliance, is very important to me from an authorizing official perspective.
Rob Monroe (19:27)
It was Prodacity last year where I first met both of you, and I think we hopped into a conference room and said, "You know, Lynette, we're going to do this cATO thing. Are you ready?" Just like that, right? We put it on the table, slide the paper over, here's what we're going to do. You know, now it's been a year, we've had some really great initial success. What would you say to other leaders who are about to take this journey, or wanting to take the plunge? What are some of the biggest challenges that you think these leaders will face and they need to be ready for?
Carrie Lee (20:03)
I think there's a whole education piece around it that if you are not aware, it needs to happen. I think we've had a lot of people who are used to ATOs being that checklist and, you know, you manually enter things into this specific tool and this is the only way to do it. And so really, you know, providing education on technical risk versus compliance risk and also, you know, showing that you are meeting those compliance requirements. Even though it's done in a different way, that education piece was critical to being successful in this effort. Also partnering with your security organization and making them part of developing the process is also a critical point to being successful.
[Rob] What's your take Lynette?
Lynette Sherrill (21:08)
So I think everything Carrie said, and one of the things that I'll jump to is, when they brought the idea to me, obviously it was right in my wheelhouse of, "Yes, absolutely, we got to get there." But at the same time, there's been a lot of surprises along the way. One is, who would've thought as a cybersecurity person, that developers would be coming to me and saying, "Hey, we want to do things more securely." Like, when has that ever happened? They're always usually trying to rewrite the DLL on a local workstation so that McAfee doesn't actually catch them like doing something, right? Or they're always sidestepping security. So when they came to me, I was like, "Well this is interesting." But what it grew is a culture within the development community in VA that they continue to bring me more security ideas. More recently when the team came to me, they said, "Hey, one of the things we're going to give you is we're not going to publish any critical or high vulnerabilities in code ever again from this pipeline." And I was like, "Oh, that's super interesting to me. And how do we do that?" And so we went through that, and now we have that - that best practice is now policy in VA. And it is something that no dev team is allowed to publish any critical or high vulnerabilities in code. So that is the innovation that you get when you go through the education and you spend the time really working this, is the team continues to bring me those ideas, right? Like, "Hey, here's a place, another place that we can strengthen it." And probably if you'd have come to me six years ago even and said, "Hey, the development teams are going to be feeding you great ideas about security." I would've said, "Yeah, no. That's not ever going to happen." I'm constantly having to cut them off because they're always working around security. But again, I think that that's where we've all grown into. We understand very uniformly that you can no longer produce a quality system if it's not secure, right? And that's our mantra in VA now, if it is not secured, it's not quality code, it's not a quality product. So you've got to go back to the drawing board. And so I think that's where everything's kind of starting to come together, and it's really set up for THIS time.
Rob Monroe (23:28)
Yeah, so I think what we've tried to do, it sounds like with a behavioral change, right, is we're trying to stop thinking about security as if it's a bolt-on. Or it's like a feature that I can make this trade-off decision for. It actually means that like, no, a quality product and a great experience needs to be secured because what we're doing with the data, or what we are doing potentially could harm, you know, our own people, our users, the organization is just as important. So I can definitely understand that that's a huge challenge we have to take or tackle. I think that, from my perspective too, I think there's also something that I didn't necessarily hear, and I'll tack on, is the balancing of risk versus reward with these decisions that you'll have as a leader. If we're going to be told, "Hey, here's all your decision authority to do something different, but you have to fit in this box that you've been living in the entire time. Good luck." You have to give us wiggle room to try something that feels a little different. I know you mentioned that, Carrie, and I think even on this security level of conversation that even means we're talking about trying to give engineers the decision themself if I should go or not, right? Or should I suppress something because I can tackle this later because it is a lower enough risk for us to actually worry about later, and having that conversation with somebody as a third-party in the mix, like an assessor, like the way that we've done that, has been really beneficial to making sure we have that even-keeled conversation.
Carrie Lee (24:59)
And I think on the product development side with our developers, it actually educates them more on how to do things securely. So security becomes part of their mindset. It's not just like the user experience and, you know, developing quality code, but it's developing secure code at the same time. And within this environment where we do have the continuous ATO, the feedback we get from developers is, "This is an awesome place to release code." So not only does it, you know, are we producing quality, secure products quickly where we're delivering all the time, the developers are like, "This is an awesome experience." "This is the best environment we've worked in at VA." So it's meeting the needs in multiple ways.
Rob Monroe (25:53)
Yeah, I love that. I think advocacy for change is hard to get to, but when you do, you really want to - like Bryon talked about this with his platform talk the other day - you really want to market that and make sure that it's getting out to the masses, and saturate your organization so that you can, you know, have better adoption faster. So I think that's awesome. Carrie, speaking of users and feedback and experiences, through your involvement in our cATO experiments yourself, what changes have been most beneficial to your decision-making granting our applications in ATO?
Carrie Lee (26:28)
So one of the best things about it is, there is a security assessor associated with that CI/CD pipeline that, like Lynette said, is preventing any critical or high vulnerabilities from going out to production. And just having that and knowing that someone's there watching and making sure that everything that's deployed is secure has been a game-changer for me. We have quarterly reviews that review like the security posture of every application within that continuous ATO where I can click down and see like how many risks were mitigated, how many vulnerabilities did we keep from being released into production? And see that risk posture. Actually I can, not just during our quarterly reviews, but I can go in at any point and understand what's happening in that environment, for multiple applications, in these great dashboards to be able to see what's going on. And that's been a game-changer 'cause, you know, since they were developed for this process they've actually done user research with me, you know, doing MVPs and being able to iterate based on my feedback so that I can help drive what I'm actually seeing.
Rob Monroe (28:01)
To paint a picture for those of us who are not involved in doing these activities or those responsibilities. Can you paint a picture for how different your experiences are today versus what you would be doing prior to making these changes?
Carrie Lee (28:17)
Yeah, so traditional ATOs are generally a point in time that we have a GRC product and a risk reviewer who writes me a low summary of the risk associated with a system, and then we've developed these ATO scorecards. But I definitely have to ask a lot of questions and spend a lot of time going through the materials in order to understand the true risk of a system. It's not something like at a glance I can see. And another piece is continuous monitoring. I think there's like monthly continuous monitoring for traditional ATO systems, but that's still a point in time when modern development teams are releasing daily. And so without this continuous ATO and the built-in security into the pipeline, I don't know if those releases have vulnerabilities until after multiple monthly vulnerability scans.
Rob Monroe (29:26)
Earlier we talked about how much learning and education is actually built into what we do now, versus the supposing, you know, my side versus your side argument of ATOs and getting things into prod. And, you know, Lynette, I'm kind of curious to hear your perspective on this. As leaders who are thinking about going down this road, what are the skills and capabilities that you believe we should be prioritizing to achieve ongoing authorization and continuous risk management?
Lynette Sherrill (29:59)
So I think the key is risk, right? Is we've got to educate people on the risk. A lot of people talk about risk, and not a lot of people truly can lay out risk for you, like, end-to-end. So I think we've got to prioritize really getting people to truly understand what risk looks like. Additionally, we've got a huge cyber gap in the entire industry right now. Cyber skills gap. We've got to figure out how do we get more people into cybersecurity? We've got to use non-traditional hiring methods, non-traditional people, and get them interested in cybersecurity, right? We've got cybersecurity people leaving cybersecurity industry because of burnout. We have to stop doing that. So we've got to figure out how do we fill that pipeline back up just across cybersecurity? Not even just in this space, but in cybersecurity as a whole. So I think those are getting the skilled people and getting the right people are super critical, understanding risk. But I think key to making this process in particular work is automation. We've got to automate things better. We've got to have tools in security, that...we've got to take our GRC products that are traditionally compliance-based, they're not really made for automation, and we've got to really figure out how to automate them. We've got to stop having a human being put check boxes in a tool and saying that this is good security. And we've got to figure out how do we pull stuff right off the wire. I'll give you guys a good example. When I first came back into security from operations, I had just stood up VA's Enterprise Command Center. And we monitor, at the command center, every system across the VA network. We monitor the backbone, WAN/LAN, 156 medical centers, 2,000 CBOCs, you know, an untold number of VBA regional offices and all the cemeteries. So it's a huge footprint, but we monitor all of that. So I come back to security and the team says, "Hey, we can't do a real risk assessment on that system based on the security documentation." And I said, "Well, why not?" And they said, "Well we don't have ports protocols and data flows for that system." And I said, "Oh, well we have that in the command center. We collect that all day long. In fact, we have a whole team that's looking at that all the time." And what we found out our limitation was, our GRC tool wouldn't allow us to import that. We couldn't automatically take that data out of our command center where we actually have that data that it would allow us to really know the risk profile of that system, and auto-import it into our GRC product. So I think from a technology standpoint, we've got to really start to take a look at those integrations. 'Cause if we can't get the data that the operations people are seeing and using every single day as part of our understanding of the risk profile, then we've kind of missed the mark and we're back to the compliance drill, right? And I know that, like, went around in a circle, but, I mean, hopefully that answered like what you were getting at.
Rob Monroe (33:11)
Yeah, absolutely. I mean, I think, you know, from people's side, I think there's definitely a need for upskilling on cybersecurity for the purpose as a means to getting these conversations down to a level that actually truly matters on how we improve the products themselves. Not just to say that we did it, we did the conversation, we checked the box, but for the purpose of actually trying to get more value into the product and into the hands of our users. I think your other point around there being a data challenge, a data integration challenge that we need to have solved, is probably similar to most organizations that have very similar aspirations around automation. So I think that that is definitely something we're going to have to invest in. I think some things that I also see, going back to that risk/reward too, right? We chatted about this - like we wanted to get things down to as low enough distribution of authority, right? To have systems be able to go to prod or changes to systems going to prod as often as possible. And I kind of challenged that statement in saying, "But what if it's not a person? What if we actually had software controlling software? And how did we get smarter about risk management or risk calculation?" And I think, Carrie, you had an interesting take on that too in terms of, you know, what have you seen as the most surprising change about this journey? Or what has been the most surprising change that you've seen in what we've done so far?
Carrie Lee (34:38)
I can't remember what I said when we were talking earlier. I think, well, one of the most surprising change is our developers don't mind doing security. It becomes part of just them, their regular work. And, you know, we've reduced the ATO time from like 400 days to I think around 60 days for new products coming into the environment. And, yeah, I think the most surprising change though is my comfort level with that ATO and with that system and seeing how, you know, we made it work. It's like really cool to see that we had this idea and we got some really great people together to work on it. And we were like, "Yeah, I think we can do it." And through our partnership, we got it done. And now it's like, "Oh, this is really cool." It's the first continuous ATO in civilian Federal. And now, like, Lynette's working on that now for other systems.
Rob Monroe (36:04)
I have to imagine, you know, as leaders who are kind of charting the course in organizations who haven't done things before, it's extremely stressful to allow these things to happen, make these decisions, right? I'm curious if you have any closing thoughts here around what helped you make those decisions, or what aided you on this journey to giving us enough, or affording us the ability, to finally experiment and try something?
[Lynette] Do you want to go first?
Carrie Lee (36:34)
Okay. From my perspective, I came from a local organization. We're delivering tools to Veterans. We want to deliver quickly. And coming from a security background, I didn't want to deliver something and then go through three months of work to get it authorized, because then there's a gap between what you delivered and what's actually authorized. I wanted to be able to deliver, deliver, deliver, bring features and tools to Veterans faster, and improve that Veteran experience. So using that as a driver and, you know, the idea of, "Oh, well just because something's always been done this way, it needs to continue this way." And questioning that. I think that's really where I felt like, "Okay, we can challenge this. We can take this to a new level." And the best thing is, we will be getting things to Veterans faster is what really gave me the courage to proceed with this.
[Rob] Awesome.
Lynette Sherrill (37:41)
I think from my standpoint as security professionals, and even just IT, we have to remember partnerships are everything. That none of us can do this in a box, and we cannot do it alone. We have to reach across the entirety of the organization and make sure that we're partnering with people, and that we're open to those new ideas and new ways of doing it. Obviously this one was a natural for me because it was something I had already been thinking about for a long time. "How do we do this?" And so they just brought me the technology and the process and said, "Hey, we can do this." And I was like, "Oh my gosh, this is awesome." So I think, you know, we have to maintain innovative thought, right? I think sometimes in cybersecurity I see our teams get super weighed down and, "Oh, I just hate those OPS people and those developers. And just they don't ever do anything securely." We get caught up in that, and instead of really trying to go figure out, "Okay, why are they doing that?" And it kind of gets to all the stories we've heard over the years about human-centered design and making sure we're building security in from the beginning. And if those that haven't heard the story of how Apple did the biometrics on the home key, that's a perfect story of making sure we're building security in from the beginning. But that doesn't happen unless you're already partnering, and you're already talking to the OPS people. If we've built such terrible relationships within our IT community, with the rest of the organization, we're never going to get there with security. And so as security professionals, we've got to make sure we are out there, and we're talking, and we're learning about our partners, our peers, and what they're doing so that we can bring them those innovative security solutions. And I'll share this story about this, that one of the things we're going to do in VA this year is because of being out there talking to the business, is I'm going to figure out how I do facial recognition in the ICU of VA hospitals because I've got nurses and clinicians trying to care for Veterans, and they've got to reach for a PIV card, and pull it out of a slide, and plug it into a workstation to log in while they're trying to give a Veteran a shot or give a patient an exam. Or if the patient is out of control, how do they get there, right? And so if I can make that a more frictionless authentication experience for them, I feel like that's my job to help them be a better business. I'll close by just saying I think that technology is finally there for security - that we have this unique opportunity that we can do that, and we just got to look at it just a little bit differently. It doesn't make it insecure, it just makes it, I really just think, everything's merging together to get us there. So I'm super excited about cyber over the next three to five years, honestly.
Rob Monroe (40:49)
That's a really great story, and I can't wait to see where we end up with that. I think one closing thought that I have off of that story is what we probably all hear and just need to hear more of, which is, you've got to get out of your chair, you've got to get out of your office space, your cubicles, and go actually talk to your users that are experiencing pain. One of the things that I can tell you in the experience of working with the VA is that all these organizations that we're supporting, some of these RMF activities, don't think of our employees and contractors as users that have choice, and they'll just do what we tell them to do because we've laid it out and we've given them education on how to follow it the way we want them to follow it. And nothing else in the world works like that. So I want to thank you both again for your time today.
[Lynette] Thanks.
This was a really special moment. Appreciate it, and hope you enjoy the rest of your time here at Prodacity.
[Lynette] Thanks, Rob.