Richard A. Spires may now be the CEO of Learning Tree International, but his background in cybersecurity goes much deeper. Having spent more than 30 years in IT, Spires was chief information officer of the U.S. Department of Homeland Security, as well as CIO for the Internal Revenue Service. He also served as the vice chairman of the Federal Government CIO Council and as the co-chairman of the Committee for National Security Systems, the committee that sets standards for the U.S. government’s classified systems. Workforce editorial director Rick Bell caught up with Spires via email.
Workforce: What role does HR play in cybersecurity?
Richard A. Spires: Effective cybersecurity requires the proper application of technology, process and people. Having a staff with the skills and experience in cybersecurity is the most critical aspect for success. Given the reported 2 million person worldwide shortage in cybersecurity personnel, it is a virtual war for talent. An HR organization that works with the CIO and CISO in both support for recruiting, but more importantly development programs to develop cybersecurity talent from within the organization, is critical for success.
WF: What questions should recruiters be asking of candidates in regards to cybersecurity?
Spires: I look for individuals that have the general traits necessary to develop their abilities to become very skilled cybersecurity professionals. In particular, I look for individuals that have strong analytical skills and the ability to understand and deal with complex systems. They don’t need to be computer engineers or scientists, but today’s IT environment is highly complex and most cybersecurity tools require significant in-depth knowledge and analysis of information to be effective. Individuals that enjoy problem solving in a complex environment thrive with this type of work.
WF: Where does cybersecurity start in an organization? In IT? The CEO’s office?
Spires: In today’s environment, cybersecurity has become one of the leading (if not leading) risks to many organizations. As such, cybersecurity risk awareness and management needs to start in the C-suite and the board room. This is now way beyond the IT organization, and business units of an organization need to be involved in understanding the risks and helping in determining and executing plans to mitigate those risks.
WF: Is it really necessary to have about 100 different passwords that must be changed every few months?
Spires: If one is in an organization that still requires the use of a significant number of different passwords for access, it is a strong indication that the organization has a weak cybersecurity posture. The proper use of identity management systems in organizations today should simplify access for users and is a key component of a good cybersecurity solution. An organization should know who is accessing their systems and data and have knowledge, with a high degree of certainty, that an individual accessing a system is who they claim to be. Today’s modern identity management solutions replace legacy system access controls (which leads to the many passwords) and will typically enhance access control through the use of multi-factor authentication, a system in which a user has to demonstrate they know something (such as a password or PIN), but also have something (such as a smart card).
WF: What was your biggest challenge as the CIO at Homeland Security and the IRS?
Spires: I loved my government service, not only for the camaraderie of working with dedicated people in public service, but also for the strong sense of mission, of doing something for the country. But government service has its significant frustrations. For me, the biggest challenge at both Homeland Security and the IRS was the amount of coordination and stakeholder work required to make any significant progress. It would typically be the case that I would need to convince up to 12 different stakeholders (a number of which were outside the agency) the value of an initiative to move forward. This takes significant time and effort, and if you do not get everyone to agree, usually the initiative stalls. I believe this is both the major reason it is so difficult to get things done in government and why it takes so long to make progress.
On the positive side of this, when you can get alignment among stakeholders, it can be amazing to see how much progress can be made, given the shear amount of resource federal government agencies can bring to bear on an initiative. I had enough of these positive events to say that I was proud to be part of both DHS and IRS and serve a collective eight years in government.
WF: Is cloud computing the answer to avoiding cyber-attacks?
Spires: Cloud computing is a particularly attractive model for IT in that it offers means to lower capital investment and enable organizations to pay for on-demand computing services when they need it. That being said, cloud computing by itself will not make one secure, even if the cloud service provider has extensive security controls in its cloud offerings. An organization must take a holistic approach to addressing its cybersecurity posture. Returning to the identity management example — a CSP must rely on the user organization for information regarding who should have access to a system or data residing in the cloud. If the identity management system itself has been compromised or the identity data is incorrect, it is not possible for the CSP to know or stop unauthorized access. Organizations can outsource their computing requirements, but really cannot outsource their cybersecurity operations.
WF: Do you ever hear this attitude? “We make widgets. Why should we spend money to negate cyber-attacks?”
Spires: The good news is that I rarely hear this type of statement anymore. The publicity of major breaches at places like Target, Home Depot and Sony Pictures has sensitized everyone to the reality that no one is immune. All major organizations have significant IT systems today, even if the organization has only the need for back office systems (like HR and payroll). Even in these cases, the organization is holding sensitive information on their employees. The awareness is a good thing for organizations, although I believe that many organizations are still under-invested and have a weak cybersecurity posture.
Rick Bell is editorial director for Workforce. Comment below or email him firstname.lastname@example.org.