Tom Pyke has served his country as an expert in computer systems for more than three decades. He began his work...
at what is now the National Institute of Standards and Technology before moving on to the National Oceanic and Atmospheric Administration (NOAA), where he became that agency's first CIO. From there, he built a 30-year career with the U.S. Department of Commerce, making major improvements to the organization's IT security posture and managing a $2.1 billion IT budget. Five years ago he was brought into the U.S. Department of Energy (DOE) to beef up its defenses against IT security threats after a series of embarrassing lapses in the face of such threats. He retired in February, but he has hardly slowed down.
On May 19, Pyke will speak at the MIT Sloan CIO Symposium as a panelist on the topic of "Solving the CIO Paradox" -- the paradox being how to use technology to expand the business while keeping costs low.
In a wide-ranging interview with SearchCIO.com, Pyke talked about his experiences with IT security threats, why CIOs need to push software vendors for more testing, the importance of user awareness training, and why the separation between IT and the finance department is a good thing.
In your many years in information technology, you've seen firsthand the rapid evolution of IT security threats. What is the next generation of security threats that CIOs are going to have to deal with? What makes you nervous?
Pyke: Although they change and they keep ahead of our defenses, for the most part, inherently because that's the nature of this business, the attacks still arrive in very much the same way they did a long time ago. The actual attacks, the malicious code that is implanted through the most serious attacks, gets more and more sophisticated and adapts as we fix the vulnerabilities in our systems and networks.
Can systems evolve to the point where they are impervious to such threats?
Pyke: No. The nature of the cyberattack world is that the attackers have the advantage. They can weasel their way into our systems and into our data, and potentially harm the systems and the data and the integrity of the data, and our ability to function in support of our organizations' missions.
However, there are good ways to provide solid defense in depth that can mitigate against future attacks. More thoroughly tested off-the-shelf software, for example, can reduce the number of security-related vulnerabilities the bad guys can exploit. Unfortunately, testing -- and continued testing of software -- can delay entry of that software into the market, and this can weaken a software vendor's competitive position. So, one of the things that a company or a government agency can do is to develop procurement specifications that require more thorough testing. And in some cases, [they can] band together with other companies or other federal agencies to have more clout to require that the software delivered has fewer vulnerabilities.
And to what degree is that going on now?
Pyke: To some extent, but not nearly as much as it can. There is also a lot of discussion with software vendors. I have been involved with such discussions over the years, encouraging software vendors to do more testing, and helping them understand how it is a win for them and a win for the customers if they do so.
Soon after you joined the DOE, it suffered a security breach that was traced to an employee who clicked on an email attachment that contained malware. To what degree does the human factor become the rate limiter for all security systems?
Pyke: Good user-awareness training is a very important part of defense in depth. Frequently, however, the attacks that users face are not apparent and would not be apparent to the user. Incoming emails can look exactly like an email that a user may have received from his or her boss, or from some legitimate entity outside the federal government. Unfortunately, on the Internet it is very easy to spoof other users, and it is very easy with a limited amount of research about an organization, to spoof incoming emails to the point that they are very hard to detect.
More on IT management
That same organization within the Department of Energy that suffered the breach a few years back had a later spear-phishing attack against 2,000 of its workstations. And only eight of the users activated an attack by clicking on an attachment; and yes, indeed, that new attachment contained malware. Frankly, this is very good success. And it is very important to have good awareness training, and it is also important to have good early detection of attacks so that once they do occur -- once malicious code has been activated -- it can be stopped in its tracks before anything significantly bad happens.
You implemented an interesting training program after that security breach. Can you talk a little bit about that, where you tested employees' response to email?
Pyke: In some cases, we did create an artificial environment where we approached individuals with what looked like an attack but wasn't, and patted them on the back when they successfully detected it. However, this whole approach met with mixed results, and I don't recommend that approach -- although in some cases, it may add to the mix to help improve overall user awareness.
What about employees who either by negligence or dishonesty threaten the security of a site. Is it the CIO's job to ferret out these employees and deal with them?
Pyke: Well, the CIO's job includes detecting things that don't look right in the systems or the network. Inadvertently clicking on an attachment in an email -- an attachment that looks very much like a real one -- certainly isn't negligence, at least in my opinion. And it is impossible to train all users or in fact, any user in all the possible devious ways an attack can come in.
Dishonesty is another thing. In the federal government there are inspectors general and there are, in some cases like the Department of Energy, counterintelligence authorities whose job is to deal with intentional misbehavior that has the potential to damage an organization's systems or data -- or other assets. So the CIO's job is to make sure there are systems in place to detect, to the extent possible, unusual behavior that could represent dishonest behavior and to refer these suspicions to the right people.
I should also mention that HR departments in both business and the public sector can be very helpful in dealing with individuals who have apparent dishonest behavior, and in deciding what the appropriate discipline should be, should dishonesty or other unacceptable behavior be determined to have occurred.
CIOs are under such pressure, especially coming out of this recession, to prove the value of IT investments. Do you think CIOs need to have formal expertise in finance?
Pyke: I don't know about formal training in finance as such, so long as we have staff who are expert in project management, including the financial aspects of it, and so long as there is a good partnership with the CFO. One of the things we're going to be talking about at the MIT Sloan CIO Symposium on May 19 is how CIOs can best support business growth, because the CIOs are, in fact, opportunity leaders. They're leaders [who] look at how IT can help provide competitive advantage.
The more business and program management that the CIO can do, especially in the areas that he or she supports as CIO, the better-prepared the CIO is to do the job.
Tom Pyke, former CIO, U.S. Department of Energy
The title of your MIT symposium panel is "Solving the CIO Paradox." What is the CIO paradox?
Pyke: Well, as I understand it, the CIO paradox includes ... trying to use IT ... to help the organization best accomplish its mission. At the same time, the CIO is very conscious about reducing costs. It is not just during a difficult economic time. This is something that is important to do all of the time, and in my opinion, an integral part of the CIO's job.
What tools do you think CIOs have now that enable them to do this, and what tools do you think many CIOs are lacking to meet this challenge?
Pyke: Well, I think it is very important for a CIO to know more than just the technology. And you asked a moment ago about financial management. Well, that's important, but we're not expected to be the CFO as well as the CIO. Those usually are separate tasks, and there are good reasons for those to be staffed separately and for organizations to be staffed separately to perform those functions.
I think it really helps for a CIO to have experience managing a large organization. I was assistant administrator for satellites and information services at NOAA. I was in charge of the nation's weather satellites and the nation's environmental data. And I managed 1,000 people, not doing IT as such, although we relied on IT extensively, but in performing an important mission, a function. I also led the development of a major new project, a startup, directly for Vice President Al Gore. It was a highly innovative science and education program for tens of millions of kids in over 100 countries. Those kids are out there in 23,000 schools right now learning about the environment, doing hands-on science, using IT to support them; but that, in fact, was and is a program. So, the more business and program management that the CIO can do, especially in the areas that he or she supports as CIO, the better-prepared the CIO is to do the job.
The SearchCIO.com CIO Innovators profile series highlights how CIOs use technology to meet both IT and business leadership objectives. To suggest a leader for a future CIO Innovator profile, email firstname.lastname@example.org.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.