October 5, 2023 @ 13:30 – 14:00 EDT
John F. Kennedy once praised our Veterans for their bravery and selflessness by saying, “as we express our gratitude, we must never forget that the highest appreciation is not to utter words, but to live by them.”
On any given day, the Department of Veterans Affairs (VA) aspires to live by these words in every in-person and digital interaction for over 9 million Veterans, their families, caregivers, and survivors, by meeting their needs for health care, disability compensation, education, housing assistance, and service record maintenance…all around the world.
Unfortunately, Congress has heavily scrutinized the VA’s cybersecurity practices as a contributing factor to its failure in serving the needs of our Veterans. Something must change! As the VA attempts to shift towards a more DevSecOps mindset and associated culture to support its transformation objectives, there is a sobering realization that traditional approaches to risk management frameworks have resulted in both technology and policies that silo people, deteriorate trust, and ultimately are not aligned to enable modern, agile software delivery. In this talk, I will share insights, lessons learned, and recommendations, including:
- The art and science of hacking your bureaucracy to achieve higher levels of maturity for DevSecOps, continuous Authority to Operate (cATO)
- How continuous risk management reduced MVP time to market from 450+ days to under 90 days
- ow to pivot from policy-as-paper to policy-as-code to address security throughout product life cycles, at scale
- Why the success of your security culture shift starts and ends with your people strategy
- How Product Management can help your platform and services adoption stick, and scale
- Why project and output based efforts are impeding your organization’s ability to compete
VA Participant(s)
Andrew Fichter, IT Product Owner, Product Engineering Services