DISA uses internal hackers, which it calls “red teams,” to continue security testing once systems are operational. Red teams try to penetrate systems and take action, such as stealing data. Hutchison says using internal hackers is something he would “absolutely” recommend to CIOs so they can find and fix their own vulnerabilities.

Keeping up with the latest security threats is difficult for DISA’s test and evaluation team.

“It’s tremendously challenging for our testers to be trained and ready and relevant in this new environment,” Hutchison said. “We are constantly adding new test capabilities into their programs.”

Hutchison says it’s important to hire top talent for security testing and evaluation.

“Our people really like what they’re doing,” Hutchison said. “I don’t think we’re experiencing any trouble finding new people to come into our environment…because the work is so interesting.”