Hord Tipton, International Information Systems Security Certification Consortium
W. Hord Tipton
Executive Director, International Information Systems Security Certification Consortium (ISC)2
Former CIO of the Interior Department
First, we have lots of technology available to us that would work just fine if only we had individuals, groups and companies that could successfully manage it. For example, our encryption capabilities are robust, but even when 100 laptops are lost each and every day, only 30 percent of those really needing it have encryption. Even worse, a high percentage of that 30 percent are incorrectly configured and therefore the encryption does not work. We know that standard configurations for computing systems are essential for management of operations, yet we do not exercise the appropriate authority to establish an environment that will accept a standard disk image. We allow too many entrepreneurial actions and liberties from our users, system administrators and the business owners who place more value on functionality and user “friendliness” than having sufficiently secured systems.
My good friend William Hugh Murray told me a story about legendary football coach Bear Bryant:
On the first day of practice, Bear Bryant always gave the same lesson. Holding the ball aloft, he would say: “This is a football. We do three things with it. We run with it, mostly forward. We throw it, mostly forward. And we kick it, always forward. Now go practice that.
We do not need agency CIOs, CTOs, and CISOs to even think about technology until they get the basics right. Government leadership needs to focus on blocking and tackling, not game plans or even play calling. Their problems are not technology problems except to the extent that it causes them to take their eyes off the ball. They need to focus on policy, direction, and supervision. They do not need to know how to make a football.
Connect with the GCN staff on Twitter @GCNtech.