Emphasizing Risk Over Compliance Is A Challenging But Necessary Change
- One great challenge for many organizations now implementing CDM is changing their security culture from a compliance focus to a risk-management focus.
- With CDM, risk management is a business problem, not just an IT security problem.
“I believe we’re at CDM Phase 1. We’re finding out interesting things we never knew about how data flow on our network. What we’re doing now is defining normal.”
The CDM implementation story varies considerably from one federal agency to another. Based on head count, the U.S. Department of Veterans Affairs (VA) Veterans Health Administration (VHA) is by far the largest federal agency implementing CDM. VHA’s network is broken down into 22 Veterans Integrated Services Networks (VISNs). Brian Zeitz, a facilities chief information officer for VA based in Cincinnati, Ohio, works within VISN 10. “There are 360,000 people in VA,” Zeitz explains. “More than 95 percent of these are in VHA, which delivers health services to veterans. VISN 10 supports five medical centers in Ohio and six in Michigan. My organization supports the Cincinnati area, which hosts a 10-story hospital, 6 clinics, a community living center, and 3,000 VA employees.”