Also important is the need for the agency's CIO and chief information security officer to have more direct authority for enforcing policy directives and information security mandates they said.

The hearing took place before Thursday's announcement that a laptop containing sensitive data on 26.5 million veterans and military personnel -- reported stolen last month -- had been recovered (see "Stolen VA laptop recovered"). The hearing had been called to discuss a reorganization of the IT environment at the VA following the disclosure of that massive security breach.

John Gauss, a former CIO at the VA, said that implementing a strong information security program had been his "No. 1" priority at the agency. At that time, though, the VA was grappling with an "ever-expanding IT budget, programs that were defined in a stovepipe manner and programs that were consistently overrunning budget, behind schedule and failing to meet their performance requirements," Gauss said.

Given those problems and Gauss' strategic objectives as CIO, "I concluded that all IT programs and IT-related activities affecting the three administrations and the VA central office should be centrally managed at the department level," he said.

But "cultural impediments" precluded progress at the time, he said.