W. Hord Tipton, widely known as one of the elder statesmen of the cybersecurity world, recently retired as executive director for (ISC)2, the not-for-profit provider of information security education and certification, after six-and-a-half years at his post. Tipton previously served as CIO for the US Department of the Interior for over five years. He spoke with our North America reporter Tara Seals about the value of experience, how government attitudes towards security have changed and how the next generation of the cyber-workforce can prepare for the complex challenges ahead.
W. Hord Tipton, former executive director at (ISC)2 and now the founder of his own security consultancy, is enjoying his deck overlooking the water on this sunny January afternoon in Florida. But while the waters may be calm out on the sea, he knows they’re anything but when it comes to the roiling threatscape that defines cybersecurity in a hyper-connected age. But, he says, with the perspective of a man with decades of experience, the only thing to do to meet the challenges is to take a page from the Boy Scouts – and be prepared. And above all, be aware.
An Evolving Government Security Picture
Tipton first delved into the IT world in the late 1990s, working for the US government. It was a very, very different world back then – and regulations and compliance were a long time coming. It was then that the role of basic awareness in government security became glaringly apparent.
“The 90s was a time when the government was having a horrible time getting IT systems built and getting the things to simply work – never mind getting the complexity out of it, separating out the hidden agendas, and getting contractors working on what they were supposed to be working on,” he said. “Security was not even an issue that we talked about.”
Then, various laws were developed and implemented in the US for data management, and they had begun to have positive effects on IT system builds. They were prompted by necessity, Tipton said; those builds cost literally billions of dollars, he noted, including a $10bn system built for the IRS alone.
In 1996 the Clinger-Cohen Act established the CIO role, and laid out a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. But it wasn’t until 2000 and 2001 that the Federal Information Act defined security specifically and put compliance requirements in place for government entities.
“In 2001 I was the CIO at the Department of the Interior, and we got graded by Congress on our compliance,” Tipton said. “We were tied for last place with Social Security, with a raw score of 13 out of 100. That lit a fire.”
In examining the root causes of the abysmal scorecard, Tipton found that the problem wasn’t with a lack of care or concern, but rather a basic lack of education and knowledge of how to build things appropriately to ensure security.
“They looked at security as an impediment to doing their jobs,” explained Tipton. “So many systems in the public sector were designed then, and still are today, to provide information and to be free and open with citizens.”
That led to conflicts of interest with national security. “We had research scientists who would demand that they have unfettered access to computers and networks for communications with Russia,” he said. “Also our oil and gas information – that needed to be made that open so contractors could bid on both onshore and offshore oil and gas programs. But you want that data to be very secure because it’s billions and billions of dollars at stake. It took a long time to get people to understand what they were risking.”
“The turnover is phenomenal – people are being poached and salaries are skyrocketing”
Now, he said, there’s a widespread understanding of how important information security is – just as the pace and volume of attacks have skyrocketed.
“Just over the last five years, it’s become an exercise in asking, where the hell is this going?” he said. “The pace of the change is dizzying, and there are now multi-billion dollar industries grown up around organized cybercrime. But business and government attitudes have evolved to understand that incidents cost not just money but reputation, and that there’s a safety aspect to it with critical infrastructure and our secrets and intellectual property.”
So while awareness has caught up, it’s now a question of feeding the maw of demand for skilled cyber-specialists, who can take on this brave new set of challenges.
Preparing the New Workforce for a Digital Tsunami
In terms of preparing the next generation of the cybersecurity workforce, the pace of innovation on both the offensive and defensive side has become breathtaking, and it’s driven by cultural macro-trends, like ubiquitous mobility and the prevalence of connected devices. For those entering the cybersecurity field today, they have to be ready to meet threats that don’t even exist yet.
“The top ten security jobs today did not exist ten years ago,” Tipton said. “And what will be the top ten jobs in five years don’t exist today. We have estimated that we will need three million skilled security personnel in the next five years. The reality is that we will probably need double that.”
He explained that new technology, especially the internet of things (IoT), where everything down to socks and refrigerators becomes connected and communicates, is magnifying the attack surface tenfold.
“So we need even more people,” he said. “Everything is completely digital. Every time we communicate, post and transact, it now carries risk.”
As a result, continuous learning is absolutely an imperative, for preparedness, and the earlier it starts, the better. The goal is to encourage enough vision to look ahead and prophesize the types of skills that will be needed.
Tipton said that strides are being made on the adult education level. “Certifications require you to stay current,” he explained. “And universities are starting to recognize that they’re not preparing people adequately to get jobs when they leave. There’s an awareness that it is becoming more and more difficult to learn this on your own.”
However, bringing security into the picture at a much earlier age is the next great push, he said.
“The types of attacks to look out for, and the right methods and techniques to fight them, in my opinion have to be ingrained at the earliest possible age, or our workforce will never catch up,” he said.
“We have estimated that we will need three million skilled security personnel in the next five years. The reality is that we will probably need double that”
(ISC)2 is working on that with a series of school-age programs. One is for ten- to 14-year-olds that deploys trainers to take materials and make a presentation at schools on how to be safe and secure online, at no cost to the school. So far, the program has reached 300,000 kids worldwide. (ISC)2 is now working with grade schools, down to the fourth grade, and also has programs for parents, PTAs and seniors.
“One of the biggest things that we’ve managed to accomplish is that cybersecurity awareness is for everyone, from the baby boomer who is retired and has more time for computing, to novices, to sophisticated pen testers in government security,” Tipton said. “Everyone needs to have it, at a very early stage. I look at my grandkids and it’s almost like they come out of the womb with a smartphone in their hands.”
He added that (ISC)2 also wants kids to at least know that there is a profession waiting out there, if one has the knack for security, and that it’s lucrative.
“The turnover is phenomenal – people are being poached and salaries are skyrocketing,” he said. “But you have to be passionate and excited about this.”
What’s Next?
(ISC)2 is focused on new and future skills in the workforce. But given the rapid pace of innovation and disruption in the cybersecurity space, Tipton said that it’s as important to look back as it is to forward.
“One of the positive things about getting on in years is the ability to pass on experience to the younger generation,” Tipton said. “I’ve had 16 different jobs in the business world, and just watching how the technology has changed, and how the methodologies have changed in terms of how records are kept, in terms of communications and how you do your business, is important to note. I remember keeping paper records and even – imagine! – dialing rotary phones. And I think it’s important to balance your workforce with people with that kind of institutional memory of how things used to work, and to take from those lessons.”
As for Tipton, he may have nominally retired, but he’s writing two books, including one on the ten things that personal users and/or small businesses must do to stay compliant and safe. He’s also staying on as a spokesperson for (ISC)2, and has hung out his shingle as a consultant.
“I always make it a practice not to stay in any job too long, but I can’t ever remember not working,” he said. “I was raised on a farm and milked dairy cattle with my mother from the age of five – that was my job every morning before I had to walk to school. It’s been a tremendous ride, and I’m ready for whatever comes next.”