The finalists for WashingtonExec’s Pinnacle Awards were announced Oct. 8, and we’ll be highlighting some of them until the event takes place virtually Nov. 12.
Next is Cybersecurity Government Executive of the Year finalist Paul Cunningham, chief information security officer at the Department of Veterans Affairs.
What has made you successful in your current role?
My success is largely in part due to two elements. First is my view of risk management as the bridge between meeting business and cybersecurity objectives. I see this in a similar manner in how naval aviation approaches risk management in balancing mission and safety. Risk management is not an afterthought that is done once a decision is made or a mishap occurs. It needs to be ingrained in all aspects of operations and with the understanding from all participants on their role in risk acceptance.
The second element was the mentorship I received from chief information officers, CISOs and deputy CISOs over the course of my career. They taught me the value of partnerships and strategic thinking. Most of all, they remain a ready resource and sounding board for me.
What are your primary focus areas going forward, and why are those so important to the future of the nation?
Many people have heard me talk of the “turning point” that we are at in cybersecurity. A lot has been written on cybersecurity risk management. However, implementation is an ongoing challenge. As we move to a more focused risk management environment, cybersecurity professionals must operate more as risk brokers and less as cybersecurity enforcers.
Technology brings tremendous capability to our daily lives both at work and at home. As we become more reliant on technology and innovation as a nation, we as individuals must evolve our understanding of risk and our role in protecting work and personal data.
How do you help shape the next generation of government leaders/industry leaders?
It is important that our future leaders to develop strategies not just for today but for the future. I have found that critical thinking and risk management skills are fundamental in that success.
As government or industry leaders, we cannot simply point to requirements and “one-size fits all” solutions. We need to balance numerous direct and indirect variables in developing a strategy that is tailored to the situation, meets stakeholder needs and is viable in implementation.
What’s the biggest professional risk you’ve ever taken?
That would be my time as the executive director for the Affordable Care Act’s Healthcare Marketplace. When I was asked if I would take the assignment, I knew very little of the issue beyond what I heard about in the news.
To mitigate the risk and issues that were occurring, I had to work closely with the teams and help map out notification, escalation and response strategies to ensure all parties understood where they engaged and disengaged in the process.
As a result, we were able to prevent delays and downtime due to security issue and we bolstered the role of the security with the Marketplace and the Centers of Medicaid and Medicare Services.
Looking back at your career, what are you most proud of?
What I am most proud of is the small contributions I made to aspiring cybersecurity professionals and how those efforts may have positively influenced them in the journey. Certainly, I do not take credit for their success. However, I do feel a sense of pride when some of those people find success and, in a lot of cases, exceed even their expectations.
The federal cybersecurity community is relatively small. It is great when I see someone that I mentored rise to a greater role or obtain their goal like a degree, an award or a certification.
What was your biggest career struggle and how did you overcome it?
In hindsight, I would say that the biggest obstacle came from limitations that I placed on myself. Early on, I felt that I had to figure out all the pieces of cybersecurity myself before I can contribute. The truth is that no one person can know everything, and it takes a team of professionals to make a successful cybersecurity program.
I would encourage all team members to provide their perspective and bring their ideas up for consideration. Personally, I find it refreshing when a unique perspective is provided from the unexpected contributor in the group.