Interview: Hord Tipton of (ISC)²

Written by

Tipton recalls how a system designed to achieve greater efficiency actually ended up costing $55 more per Christmas tree, while adding nearly four hours to the process
Tipton recalls how a system designed to achieve greater efficiency actually ended up costing $55 more per Christmas tree, while adding nearly four hours to the process
Hord Tipton, (ISC)²
Hord Tipton, (ISC)²

Despite his immense success and admirable journey to where he is today, Hord Tipton is a very unassuming and gentle character. His soft Southern drawl is somewhat therapeutic, and he has the ability to instantly captivate with his words.

When I tell Hord Tipton that my objective is to profile him and his career, he responds, “Gee! How much time do you have?” with a soft laugh.

Tipton’s colorful career began with his training as a chemical engineer. His first job was in Chicago at a chemical company, but he moved away shortly after, blaming his dislike “for all that flat land”. After a brief stint teaching mathematics in school, Tipton and his first wife went to work with the National Laboratory in Oak Ridge, Tennessee. “They’re run today by the US Department of Energy, but at that point I was involved in the nuclear weapons program, and worked as a chemical and nuclear engineer, [including] working on nuclear power plants.

“One of the first and most interesting jobs that I had as a young engineer”, remembers Tipton, “was in our plant. We were responsible for the US government’s Atomic Energy Commission – accounting for all of the nuclear material in the Oak Ridge National Laboratory complex, and the huge facilities”.

The material that went into the first two nuclear weapons that hit Japan, Tipton recalls, were extracted from Oak Ridge. One of the most important yet time-consuming elements of the job, remembers Tipton, was “accounting for all that material, because it only takes a handful of it to make a nuclear weapon”. Every month, Tipton and his team had to weigh every single part. “It was taking us 22 to 23 days just to do a chemical analysis. It was just such a voluminous process.

“Then they would dump all this into an IBM360 computer, turn the crank, and out would come a report”. A meeting would then be held so the bosses could check whether they had met the MUF – “materials unaccounted for”, Tipton explains in response to my puzzled expression. “If you were not under 25 kilograms, the plant shut down – everything shut down.” The Department of Energy, sensing there was a better way to operate, asked Tipton’s boss: ‘What would it take to put a little automation into this process?’

“My boss was a crusty old guy”, Tipton reminisces, smiling. “He leaned over to me and said, ‘How much would that cost and long would it take?’”, referring to DoE’s automation request. “This is 1977, so I said, ‘I can do it for $5 million and it’d take me two years’. The boss passes that message back as, ‘We can do it for $10 million and it’ll take five years’. I learned a good lesson right there”, he said with a grin.

“We had the very innovative job, then, of inventing and building machines that could actually look at a can of ash, and just from its gamma signal, tell you how much nuclear material was in that can. We actually brought that project in at about $5 million, which was a considerable amount of money in 1977, and we brought it in on time as well.”

The other part of Tipton’s job – the part which he considers “got [him] into computers” – was his project with barcode scanners. “I used a mini-computer to create an inventory within 24 hours. They were very impressed with that.”

Lessons in Government ‘Efficiency’

Tipton’s next step was to join the government. From Eastern Kentucky, “raised on the edge of coal country”, Tipton considers himself “drawn into government by the legislation passed to set up an agency on the back of coal mining practices and what they can do to watersheds and homelands and mountains”.

He served for five years as Chief Information Officer for the U.S. Department of the Interior. There, he managed IT operations for 2,500 DOI offices with 3,650 IT employees, 5,800 contracted employees and an IT portfolio of US$1.2 billion.

Tipton was beginning to notice, however, that he was continually faced with “broken systems (mostly which were collecting data) that were ill-conceived, over-priced and never came in on time”. He considers this mantra the “heyday of his career”, as he was given the money to reconfigure these systems and “do it correctly. I’ve always prided myself on my reputation, because I have never had a system fail and never had one go over budget. I have had to shoot a bunch though”, he says honestly.

One particular instance of “shooting” that Tipton recalls at the US Department of Interior was the Automated Land Management and Records System project. It was also the incident that led to Tipton’s promotion to CIO. “There was a program that would issue permits to local citizens for $5 to get a Christmas tree off public land. They had been trying to build a new computer system around this for 15 years. The contractor had already pulled off $450 million on this, and they had a gravy train with biscuit wheels, as I called it. They had 150 contractors sitting in there, on the government payroll, doing all this. A new boss came in – a big director of the interior agency – and he asked me what I thought of the system”, Tipton recalls.

"It takes time to develop faith in something you can’t see"

To add more detail to the story, he gives me a broader picture of the proposed system. “They were trying to put one billion records into a relational database; including all the land patterns of the United States; the legal transfers and data; all the permits of oil and gas, on 500 million acres of land in the US; logging records; and grazing records.

“So I told the new boss it wasn’t going to work”, Tipton says, getting back to the story. “They had asked me to be the system owner and I refused. I explained why, and the CEO at the time got upset with me. He said, ‘you know that system is going to work, because we’ve already gone out and bought the celebration toys and t-shirts and we’re going to launch this thing next month’”. Tipton’s response? “Let me know so I can be on vacation.”

The project had gone so far down the road that the director said they would have to launch it. “I said, ‘if I were you, I would not launch it until it’s tested’, so they did. They tested it in New Mexico and it took four hours for the computer to crank out the permit for a Christmas tree, and they wanted $60 for it. The tree had gone from $5 to $60, and from 15 minutes to four hours.”

Tipton questioned why it took so long. “He answered, ‘we print an environmental impact statement with that tree, so the user knows where it came from; they know the variety and its Latin name’. I said, ‘you don’t know cowboys and cowgirls at all, do you? They just want their damn tree’”, he remembers, laughing.

“So we told Congress we were going to have to shoot the 15-year-old system. ‘We’re sorry we spent $450 million of taxpayers’ money. But if you’ll leave me $20 million, we’ll have this thing fixed and corrected in two years’”, Tipton remembers telling them, then going on to build a perfectly functional system within two years at a cost of $26 million.

After this success, Tipton was offered the job of CIO for the Department of Interior and suggests he was “talked into it”. He then led work on systems architectures, building the “first system architecture in the US government”. The Department and the White House were so impressed with the result that they “helped their CIO to retire and asked me to become CIO immediately. My condition of accepting the position was that I would report into the Secretary, which they approved.” Tipton remained in the position for the next five years.

Better Together

During his time in the Department of Interior, the security officers reported into Tipton. It was not until later, after achieving his CISSP, that Tipton officially functioned as a security officer. “In trying to build a security department [at Interior], I was essentially working my guys to death. As soon as I could get them certified, other departments would swipe them, because the national security agencies and the Defense Department could pay more. I lost all my people one year, and acted as my own security officer for about eight months until I could actually get one in place.”

This meeting between Tipton and myself takes place at the ASIS conference in Orlando, Florida, where the (ISC)² Congress is co-hosted for the first time. I ask Tipton whether the decision to host the Congress alongside a physical security conference was deliberately promoting a new model. “I came into (ISC)² three years ago with the idea that we really need to use collaboration, and we started building memorandums of understanding with entities like ASIS. We selected entities that we thought had achieved the same levels of standards and integrity that we’d built into (ISC)², so as not to devalue our brand and reputation by affiliating ourselves with them.”

To date, Tipton considers the collaboration “very, very successful”, which he is unsurprised about because he views collaboration as “the way the world is going”. Having said this, Tipton does not believe the US government is complying with this school of thought. “They say they have, and in some places they have – or at least they’ve tried. But no, nothing concrete.”

The day before our meeting, the State of Michigan reported that it had officially integrated physical security with digital information security, which it called ‘critical information protection’. “The driving force, of course, is the critical infrastructure and all the things that are IT-based around that now. They have the whole system for the state reporting to the chief technology officer”, Tipton explains. “This underscores the point that we have been making – we need to think these things through together, rather than in separate channels and silos”.

Tipton’s theory on why physical security is often taken more seriously than information security is an interesting, and very valid, one. “You can see a physical crime – you can visibly observe a criminal activity like an armed robbery”, but if somebody hacks an online bank account and steals funds, “no-one could actually see it happen. It takes time to develop faith in something you can’t see. That’s my theory at least, that it takes time to convince people that this really is a serious crime, because they can’t see it until they see their account balance is zero.

A Case for Court

Tipton recalls a time after a Department of Interior breach when they were spending $50,000 a year out of a $1.1m IT budget on security, “which is virtually nothing, but kind of endemic to a lot of thinking at that time. Nobody could understand who would want to break into government websites, which were giving the public good information and service. So there was a strong resistance to spending money on security, until we turned them off the internet.”

Tipton pauses, but I’m not about to let this one go. This sounds like another story that needs pursuing. It was 2002 when Tipton “turned off the internet. On the first day, the assistant secretaries all came down to my office. They didn’t visit me very often – as long as their computers were up and running, they were fine”, remembers Tipton.

“They came down and asked ‘how long is this going to last?’ I told them that it would last until they could demonstrate to the judge that they had good security. Their response? They were cavalier, ‘Hell, it just means that a lot of people can’t do all this surfing. We’ll get some work done around here now’”.

A few days later, Tipton smiles, “they came back in. Guess what the question was? ‘Some people have been wondering if we’re going to get paid this week?’ So I say, ‘No, as a matter of fact you aren’t. Without the internet, how do you think I get your timecards and your information to the vendor processing business center in order to get the checks cut?’ Well now, we have a serious problem here”, they realized.

This, remembers Tipton in disbelief, “was after another deputy secretary actually testified on the Hill that the security of the Interior was bullet-proof. Oh my goodness! He’s saying that with an agency out there with no firewall. Those guys got breached big time”.

Tipton had to testify as a bureau CIO before he actually became CIO, and was made to feel like “a right idiot” by the plaintiffs, whose attorneys’ fees of $15m per quarter were paying for the testimony of security experts. “I left that with my head hurting, knowing that I was good enough to do the job, but could certainly know some more. The first time I testified, I felt like an idiot”, says Tipton.

“We had to demonstrate bureau by bureau, office by office, that the security was adequate enough so that we could let them go back online. I think I spent $100 million the first year, just in getting hardware, software, equipment and people in place.” The people piece of the puzzle was one of Tipton’s biggest challenges. “They didn’t really have any training in security – they just kind of learned it as they went. We needed to demonstrate that we had some people that actually knew security.” A contact of Tipton’s advised him that the CISSP was the “gold standard” of certification, but “really tough to achieve”.

"We consider ourselves the CPA of the IT security industry, and we want to be big and stronger"

“So, I said this is what we’ll do. We’ll give them a year to get the certification, and we’ll pay for the training”. Tipton was met with resistance from many of his staff, who complained that it was a tall order. “So I said, ‘if I put myself to the task and I’ve got to gain the certification [myself], do you think they’d shut up?’”. Apparently, that did the trick, so Tipton spent four months studying hard through his evenings, the holidays, and Christmas and passed the exam on his first attempt.

To motivate his staff to follow suit, he offered them a 5% pay raise for getting certified. “The thing that most of them really enjoyed was the emphasis on the continual educational credits, because that’s the first thing that the government and many companies will cut when the budget gets tight.”

To Serve and Protect

In September, (ISC)² announced the formation of the (ISC)² Foundation, a new charitable organization dedicated to delivering education and awareness programs to communities around the globe. Through the foundation, one of Tipton’s objectives is to “bridge academia with the certification we’re offering”.

He explains his decision to join the (ISC)² board in 2004 by announcing he was “bitten by the bug” when he was challenged to take the CISSP exam. This reminds him of the story he was telling me about the lawsuit at Interior. Although we are running out of time, he insists on finishing the story, which I’m grateful for.

“After I got my CISSP, and we had these entities ready to go back online, the plaintiffs put me back on the stand to certify and to testify that the systems that we were bringing back online were indeed secure. This time, I was introduced as a CISSP, and the questioning was altogether different.” Their attitude, he recalls, had completely changed. “Ah, so you are a security expert”, they seemed to say.

“Even the Inspector General got a question on that”, he remembers, smiling yet again. “He was asked, ‘would you consider Mr Tipton knows what he’s doing in IT security?’ He bit his tongue and said: ‘well, I guess he must be pretty good, since he passed that CISSP exam, and I’ve tried three times and haven’t been able to do that’”.

Getting the opportunity to join the (ISC)² board, Tipton tells me, “was very, very inviting. I did it and enjoyed it.” At that stage in his career, Tipton had retired from government and was embarking on some private consulting on his own.

Now wearing the hat of executive director, Tipton is keen to sustain the high level and integrity of the organization. “I’ve got to protect the interests of 80,000 people now, and if we let them down in terms of losing the reputation, respect and the integrity of that credential, then I will have failed.” Building membership numbers is one of Tipton’s key objectives. “The more people that join our ranks, the more it means this outfit is doing something right. Employers are now requiring people to have it, not just thinking that it’d be a good thing. We consider ourselves the CPA of the IT security industry, and we want to be big and stronger.”

In addition to growing the membership, Tipton is also prioritizing providing benefits back to members to make them smarter and stronger. “The more services and the more tools we can provide them, the more intelligent they become and the better they serve the security community and their employers.” One way to do this, he says, is to build geographical chapters. “This will be an explosion of our reach. We need a solid chapter in London, for example. The chapters will finance themselves, and we will not charge them a nickel back for headquarters. We want to make this a low-cost initiative”.

Finally, Tipton shares his ultimate objective with me: to educate children and develop a career path to entice younger children into the industry. “The first and the immediate impact and effect that comes from that is to make a difference in the schools. Get them on the right path; take a little pain away from them if you can, and just start an educational process within that. Also a secondary benefit of this to us and to the security community is to get people at that age to know that this is a challenging career opportunity. It’s a digital world – arts folks are having more and more difficulty getting employment. Our guys aren’t. We’re facing virtually zero percent unemployment.

“So we’re offering up our educational materials to work with schools, help develop our curricula, and we’re offering our 80,000 members up in terms of any type of support or help that they want, and we’re trying to get doors open for them. Our members love it – it’s an opportunity to give back”, Tipton concludes. With that, our time really is up. But not before Tipton offers to meet again some time to share more of his stories with me.

That’s an offer I certainly can’t refuse.

What’s hot on Infosecurity Magazine?