Former (ISC)² Exec Shares Thoughts on FISMA, IT Architecture
Hord Tipton jokes that he has a history of inheriting broken computer systems.
One of his biggest projects — rebuilding a broken system at the Bureau of Land Management — in many ways introduced him to the nuances of federal IT and security.
“That was kind of my first in-depth experience with information technology architecture, security architectures, and what this actually meant and entailed,” said Tipton, an Interior Department CIO during the George W. Bush administration and recently retired executive director for the International Information System Security Certification Consortium, or (ISC)². “Very few people at that time [and] many of them today, really don't understand the importance of architecture.”
His success at BLM set him up for the position of department CIO, he recalls. “I got a call on a Friday night, and the secretary of Interior says, 'Can you be the CIO on Monday morning?' Yeah, it wasn't much notice at all. I said, ‘At least you're giving me the weekend to think about it.’”
Tipton served as Interior CIO from 2002 to 2007 before taking on the role as (ISC)² executive director in 2008. He retired from the latter post Dec. 31. Under his six-and-a-half-year (ISC)² tenure, its organizational mindset transformed from that of a certification agency to a security organization, and more hands-on demonstration components were added to certification tests.
“We've had a number, including our marketing department now, that have actually taken the exam," Tipton says, "not expecting them to pass it, but just so that they will understand how a candidate has to prepare.” The global organization also added an education component. (ISC)² now partners with universities and high schools around the world to share information for developing coursework for students.
FedTech Social Media Journalist Nicole Blake Johnson spoke with Tipton about his tenure at (ISC)² and his thoughts on federal IT security and cyber legislation.
FEDTECH How did you transition from CIO at Interior to (ISC)²?
TIPTON: We actually had about 3,500 [Interior employees] that thought they were security people. They didn't have any certifications to speak of. My CISO was going through the (ISC)² certification, and he studied and crammed for the CISSP [Certified Information Systems Security Professional exam].
Like I’ve asked, "Well, you got a lot of people. How do you know they're any good?" He said, "They've got a lot of experience, but that doesn't necessarily mean that they're current and they know what they're doing." So I asked my CISO, "How do we tell? How do we actually measure that?" … I, at that point, had never heard of (ISC)², and he says, "Well, I'm studying for CISSP, and I'm studying for it because it's a gold standard." I said, "Well, good. We'll just have everybody get that certification within a one-year period."
It created a lot of uproar and a lot of resistance and backlash. So they challenged me to take the exam. I was put on the spot. I studied four months and hadn't had the experience and that piece of it, but I took the exam and became the first — and probably still the only — CIO, at least in the cabinet level, to pass that CISSP exam. That impressed (ISC)², and they asked me to sit on their advisory board.… [T]hen eventually, they asked me to sit on the corporate board of directors, and I sat a couple of years, and the next thing you know, they wanted to put a new director in (ISC)². I was supposed to help them find one and didn't have much luck on that. So … they talked me into taking the job.
FEDTECH What are your thoughts on cybersecurity legislation passed by the last Congress?
TIPTON: I look at it as we finally have something now that's official from a legislative point of view that puts in the legislative record some things that, frankly, I think agencies were already doing. Continuous monitoring, for example, had been working around getting required solutions for that. That's been in [the National Institute of Standards and Technology] for a long time, and it's a type of thing you can do with regulations, but it's good to see it all packaged and reshaped [into the Federal Information Security Management Act]. I think it will take a lot of criticism away from FISMA now that everyone's getting the same direction, so you can get some consistent reporting through it.
As CIO, that was the one thing that always frustrated me a bit, was how you fared on your annual ranking and on FISMA depending upon just how independent and how rigorous and how tough your inspector general was, because they're really the ones who determined how FISMA is being implemented. We tried partnering with the IG, but you can only go so far with that. What we noticed was there was a wide disparity of approaches that inspectors general and CIOs use to cross that, so this will give some good continuity and it will make sure everybody understands and plays by the same rules.
FEDTECH What do you see as left to be done with cybersecurity legislation?
TIPTON: Well, again, I think this comes down to separating out those things where everyone should have a clear role as a nonpartisan, and we really know and they really know the things that do shift and get reflected as partisan in some cases. The liability is key in that. Anonymity is another one, and it just greatly limits the cooperating and sharing that is necessary at this point, if you expect to keep up with the bad guys. It's difficult enough as it is, but when we don't share information and get out ahead of this, then our preventative security seems to go out of the window.
FEDTECH Can you elaborate on what you mean by anonymity?
TIPTON: Yeah, well the other part of that comes out of this is the embarrassment factor. In particular, if you share too much information about just how badly a company had messed up something, it looks like a public whipping. It doesn't help the company. It really doesn't help going forward, but if you can extract exactly what happened, the impact of how it happened, and these are the vulnerabilities that were exploited, and then you share that — the details of how the new attack worked — with governments and your corporations, everybody benefits from that.
FEDTECH What federal cybersecurity trends are you expecting this year?
TIPTON: Well, one that everyone always asks about first is the [federal] budget. I think all our predictions came true last year, about, even during austere times, particularly the security budgets getting a degree of protection.
One of the things that they're falling back on is the escalating salaries of a very scarce workforce. So when you're on the bottom or start falling toward the bottom of the pay scale for professional talent, two bad things will happen. One, you will lose your senior people and you will lose experienced people, which we basically call "poaching the high grades." And then, secondly, if you can't replace [them], which you won't be able to with the same quality of people, the overall [quality] of your workforce will be less.
[Agencies are] going to have to be careful to make sure that they understand, one, you've got to do some creative things to increase the number of available people. You have to make sure that they keep their skills up, and therefore you can't constantly cut back on their training as a way to save money. They'll become stale and out of date very quickly. And then, third, you're going to have to do something to distinguish and raise the salaries until you get adequate people out there.
Then, of course, they should emphasize efforts to encourage more … women to get into the IT security field, and this problem wouldn't be so severe.