2009 Career Trends in Information Security: Interview with Hord Tipton, Executive Director of (ISC)Â²
In this exclusive interview, Hord Tipton, Executive Director of (ISC)Â², discusses:
W. Hord Tipton is the executive director for (ISC)Â², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.
Tipton holds a bachelor's degree from the University of Morehead and a master's degree from the University of Tennessee. In 2004, he received the Distinguished Rank Award from the President of the United States.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. Today we are talking about career opportunities in information security, and we are privileged to be speaking with Hord Tipton, Executive Director of (ISC)2. Hord thanks so much for joining me today.
HORD TIPTON: Oh glad to be here Tom.
FIELD: Why don't you take just a minute to introduce yourself, your role at (ISC)2 and just give a sense of what is new these days.
TIPTON: I'll be glad to. I have, as you mentioned, my name is Hord Tipton, and I've been the Executive Director since July of this year. I'm still learning a bit on the job, but I would I guess point out that (ISC)2 is a rapidly growing organization still young, at least young at heart, with about 63,000 plus credential holders at this point, located in about 138 countries around the globe so we are truly an international organization.
FIELD: Hord, given the economy, the global economy, what career resources are you offering right now for displaced information security workers?
TIPTON: One thing that we have seen is that has proved to be very useful to our members is our web services, our member services piece of our website, by which we have job offerings, we allow our members to post resumes, and we find that is a site that is one that doesn't have to have a fee associated with it for, say, job searches if you will, as some of the others do.
We provide timely information, we also through our magazine and then eblasts that go out periodically to our membership, we offer opportunities through podcasts such as this and webcasts and other things to our members through our websites in order to try to keep them current with what is going on in the technology world.
This is particularly important at this time during down economies in that travel is often limited, and there are fewer opportunities for face-to-face attendance on this due to restricted budgets. We need to provide our members as many opportunities as we can in order to meet their continuing education credits that are critical for sustaining their certifications.
FIELD: Yes, they didn't tell you what kind of an economy you were going to be inheriting when you took office did they?
TIPTON: They sure didn't! And generally our area is one that sustains down economies like this quite well, primarily because employers are looking for people in the security areas, and so much of their business and data now is digitized and flows across wires and the various networks and it is just not a good time for disgruntled employees or other types of things of like people attacking you.
So security people right now are at a premium, and those that are employed like to stay employed, naturally, so those with good training and good educational backgrounds and the right skills, as verified by certification in many cases, are at a premium within their organizations.
FIELD: Well you mentioned some of the current threats that really are getting a lot of visibility. What do you see as some of the biggest security threats on this landscape right now?
TIPTON: Well, our people are our most valuable assets in any company, and yet at the same time they offer the most threats to your security environment. Technology has been very good in providing tools to help guard and keep our businesses secure, but at the same time it is only as good as the people that we have that use it, and then the people that we have that maintain and monitor through those tools.
So our biggest security threat still is internal; our applications are what are attacked most often ,and I think we have seen statistics that show that as high as 75% to 80% of the attacks now come through the applications. And they will do this through vulnerabilities within those applications or through social engineering, phishing and those types of things, with your employees.
At some point some of the things that are gong on at (ISC)2, some of the newer things would involve our attempts to launch our new credential, which is designed to meet the full lifecycle needs of information assurance through software development.
FIELD: Well that's a good segue for it because I wanted to ask you, what are some of the top issues that (ISC)2 is focusing on going into 2009?
TIPTON: Well, one we are looking very closely at our business to assure ourselves and our members that we will be sustained as a viable corporation and service their needs through the upcoming year regardless of how tough that might be.
Also, we are proud that our credential is held in very high regard by prospective employers and current employers of people who hold that credential and then on top of that, as I said, we've spent two years in developing what we and the industry consider to be a very vital need in that we just--we need people who are thoroughly trained across the board and not just solely in code writing and programming, but in managing the software process form the very beginning until that software is used over time and finally disposed.
In our end of the business, we call this making sure that the security piece is built into the front end of software. We just launched that credential in September. and we will initiate our first educational and examinations for that in April for the education and for June for the first exam.
So we are excited about that, and we've had tremendous interest in it across the globe for that matter, and we look forward to offering a credential that is going to add a lot of value to the resumes of our members.
FIELD: That's exciting. Hord, as you alluded, there is certainly a lot of churn in the financial services industry these days and we are seeing lots of people displaced. What advice would you have for people in information security that are either looking to start or switch their careers now?
TIPTON: Well, there are two ways to switch; we see that some of our members through success have been promoted into managerial positions, positions that are integrated with IT but have more of a business nature to them.
So people are constantly changing, particularly the younger people in today's employment world and are apt to have 15 or 16 different jobs before they are 40. They even change within the IT community and even within the security environment as well.
So there are all sorts of different specialties and concentrations that the environment is demanding that people pick up in order to stay current with the constant challenges and the sophistication of the challenges that all of us are facing.
FIELD: What do you expect looking ahead to next year are going to be sort of the in demand skills in financial services and in the banking industry?
TIPTON: Well, particularly I was going to mention the banking industry is a hot sector. The statistics will show that the most prevalent attack is on financial institutions, and the chief motive for criminal malicious computer mischief is in the financial sector because people are now into this for profit. It is not fun and games anymore or just bragging rights, it is a serious criminal element, and obviously the highest rate of return on the effort that they put into it is in the financial sector on that.
So I would suggest that people be really up on the requirements of the PCI Compliance and what that means, what the rules are for it and then how to actually develop policies and procedures to help companies stay in compliance with that.
Another area that I see that will have a big demand for people is going to be in the web world. Over half of the business transactions now conducted on the web, and then with the web itself being the biggest threat that we have to computer security, it is like mixing high volume business and transactions in a very dangerous environment. So to the extent that even trusted sites are having difficulty maintaining that reputation as a trusted site, there is going to be more and more skill need in that area because that is where the evolution is headed.
FIELD: That makes sense. Hord, I certainly appreciate your time and your insight today. It is a pleasure to be speaking with you.
TIPTON: Well, I enjoyed it, Tom, and I enjoyed discussing it with you as well.
FIELD: We've been talking with Hord Tipton, Executive Director of (ISC)2 . For Information Security Media Group, I'm Tom Field. Thank you very much.