W. Hord Tipton

My perspective on the outlook for cyber initiatives is quite different heading into the New Year than in past years.

While there are always budgetary uncertainties and looming cuts in government IT spending, this year, we face an unprecedented financial uncertainty as our nation stands on the edge of a fiscal cliff. That will impact not only the resources we have to invest in technology, but how people work and live. Keep reading →

The DHS Task Force on Cyber Skills released a much-anticipated report last month on the state of the cyber workforce within the Department of Homeland Security.

Commissioned in June 2012 by Secretary Janet Napolitano, a group of government and industry leaders was tasked with “identifying the best ways DHS can foster the development of a national security workforce capable of meeting current and future cybersecurity challenges.” The group was also charged with “outlining how DHS can improve its capability to recruit and retain that sophisticated cybersecurity talent.” Keep reading →

Communication about the perils of taking inappropriate risk – and how to accept or not accept IT risk in government – is seriously lacking these days. There is clearly a link missing in the chain that connects government business managers with matters of importance such as IT risk.

Take for instance, the Utah data breach and all of the “lessons learned” that have been discussed since following a data breach that exposed the health data of 500,000 people and social security numbers of 280,000 Utah Medicaid recipients. The incident, which took place earlier this year, led the executive director of Utah’s Department of Technology Services to resign in May. Keep reading →

Our organization, (ISC)² recently participated in the IT Acquisition Advisory Council’s 40th IT-AAC Leadership Roundtable, where high-level cloud stakeholders came together to discuss cloud security, FedRAMP and beyond.

Although I was unable to engage live in the roundtable discussion, I do have some thoughts for government officials to consider as they address the many complexities of securing an initiative that holds more promise for the federal government than any other IT innovation in decades — the cloud. Keep reading →

For those tasked with managing risk throughout the enterprise, and who follow my blog postings, you’re familiar with a theme I stress often regarding information security best practices: “An ounce of prevention is worth a pound of cure.”

For practitioners and managers tasked with enterprise risk management, you can apply this approach to all your decision-making, whether you’re looking to make new technology purchases, implement new policies, and, perhaps most importantly, hiring new people. Keep reading →

What do well-balanced information security professionals look like, and why should the government be hiring them?

With the release of the National Initiative for Cybersecurity Education (NICE) Framework and much talk about the cyber human capital crisis, one question that keeps coming up is “what type of information security professional should agencies be hiring?” Keep reading →

Behind the IT systems that support civilian and defense agencies are a corps of administrators and information security specialists charged with operating those systems securely.

And behind them are organizations that help train and certify them and, as one organization did last night, recognize their efforts. Keep reading →

Throughout my years in government, I engaged in many discussions regarding the convergence of information and physical security assets. While the “why-fix-it-if-it-ain’t-broke?” argument advocating the effectiveness of maintaining the separation of logical and physical security still stands strong in some circles, there is no doubt that convergence has become a growing fad.

At (ISC)2, we often poll our members on topics that represent a potential impact on the information security profession. Just prior to our recent (ISC)2 Security Congress, co-located with ASIS International’s 57th Annual Conference & Exhibits,we took the opportunity to poll our members on the integration of traditional and information security and discovered that many hold to the belief that information security and physical security should not be separate but equal and complimentary entities. Keep reading →

In my last blog posting, I expressed my thoughts on the importance of taking a holistic approach specifically to addressing the recent proliferation of software vulnerabilities. But truly, this approach applies to addressing all cybersecurity vulnerabilities.

I was reminded of that this week when I read a well-known security figurehead’s very myopic response to a newly released cyber education strategy, called the NICE Strategy, implying that the strategy will have little or no impact if it is not updated to focus on developing critical ‘hands-on cybersecurity skills’. Keep reading →