Samara Lynn (00:10)
I see you were CISO in the military and also at your previous place of employment. Can you tell me a little bit about those roles?
Tim Tipton (00:19)
Of course, so while I was in the Air Force as a CISO, it was more so my final duty station while I was in Washington DC, I was stationed at Bolling Air Force Base.
I was originally just an information system security manager when I first arrived there, but it was right after COVID had hit its peak and it was kind of curtailing off.
So I stepped in pretty much turned into, okay, full scale CISO for the JWICS network for the national capital region. So make sure that it complies with the NIST risk management framework, make sure the ATOs go off without any kind of worries, make sure nobody loses their network access. I loved it because it,
The best thing about the Air Force is there's always that sense of urgency,
I took my certifications, I took my experience and everything, and then I was like, let's, see what the private sector has for me. The company that I was originally a CISO for on the outside. They were actually the same company that invited me to do my SkillBridge program with them. The SkillBridge program is an amazing program that specifically for transitioning service members.
Transitioning service members have up to 180 days before their separation date to where they can do an internship with a company that allows them to refine their skill sets and prepare them for life outside of the military. So it gives you an understanding of what the workforce looks like, how your skills fit into what a job outside would look like,
The company that initially reached out to me about the SkillBridge opportunity. It was 7 Eagle Group. A guy by the name of Jordie Kern. Super awesome guy. He was the founder of 7 Eagle Group. reached out to me and told me that there was this company named Vipersoc that fell under the 7 Eagle family that was looking for
just a cybersecurity analyst for their SOC, right? And I was like, okay, that's only like a small fraction of what I did in the Air Force, but it's a great way to get my feet wet.
but after I joined Vipr Soc, I'd say it was probably about two weeks before Jay Sheehan, who's a really good friend of mine now, before he was like, Hey,
You want to be my CISO And I was like, sure. And he was like, because we want to expand more, you have the chops for it. He was like, you've done it before. He was like, I just didn't want to bring anybody in as a CISO but the position's yours.
So when it came to the SOC I made sure I understood the ins and outs of everything they did
So that was super fun. then at that point, Jay gave me the opportunity to help expand Vipr SOC services from just being the SOC to more so cybersecurity as a service. So I developed our audit and assessment arm, our vulnerability management arm, our threat management
penetration testing, blast radius reconstruction for incidents, forensics analysis.
Pretty much what we would do that for is at scale,
Samara Lynn (03:24)
Well, so let me ask you this. So you obviously have a long history in cybersecurity. Were you interested in this space before you went to the military or did develop while you were in the military?
Tim Tipton (03:36)
so I think for me it was always, it was always something back there, right? Something that interested me because I've, I found very early on that I'm a creative person, right? Like I'm a music producer, I'm an author, I do a whole bunch of different stuff. I always wanted something that in a sense,
colored inside the lines or was easily defined or easily explained, right? You can't easily explain music is more an emotion and a feeling. You can't easily explain art, right? Because it's something that just naturally happens. But with cybersecurity, there's an explanation for everything, no matter how dynamic or nonlinear the environment is or the landscape is, it's something that can easily be explained.
Samara Lynn (04:25)
So let me ask you, what do you consider one of your biggest career successes?
Tim Tipton (04:29)
I say one of my biggest career successes, if not my biggest career success. What is or is the. The impact that I have on people from me sharing what I know with them. Right.
I released a book titled Cybersecurity and I'm about to release two more that are under the same cognitive cybersecurity thing. But cybersecurity was about the intersection between psychology and cybersecurity. So being able to help people understand how to influence change at an organizational level based off of different personality types and character traits within C-suite users, executive boards, directors, managers, all of those different types of roles.
the stressors that we face as cybersecurity professionals, how to identify them, how to be able to help your team get through those, overcome those, then thrive afterwards, right? Without making it feel like it was their fault. I think that was probably my biggest career success to be able to change the landscape, even if only a little bit, right? Through that way.
There's been the Air Force gives you plenty of opportunity to change it from a technical or managerial perspective, right? They demanded spans across hundreds of bases, right? We get a place that other sister service installations, but you get one base where Nellis, for example, out here in Las Vegas has 14,000 people on the base itself.
plus about another two or 3000 at the base that they also support. But you get three, four people in a shop to support that entire thing from a cybersecurity perspective. It's crazy, right? But you oversee new initiatives that roll out. Like I mentioned with the whole DLP thing, DISA comes and they do their audits and you're held accountable for that.
the Air Force gave me ample opportunity from
a technical and depth perspective, but I feel as though my biggest success was being able to help people.
Samara Lynn (06:27)
That's awesome. Well, tell me, tell me briefly what, what is the most significant difference in being a CISO in the military as opposed to the private sector?
Tim Tipton (06:37)
the biggest difference is in the military, there is no real pushback or stopping a change from happening, right? At scale, it's this has to happen because this is a mandate that came down from DISA who oversees our network or DIA who oversees our network or direct mandate from the president
That differs from the outside greatly because a single person on an executive board or in the C-suite can stop one of the most important controls from being implemented within an organization. The Air Force pays, the military pays thousands of dollars for a single toilet seat. Security teams can't even get a couple of thousands of dollars, a couple of thousand dollars for budget.
A lot of the time security teams, their budget is rolled in with the IT budget and whether we want to accept it or not, right? The IT budget is going to take precedence or priority over the security budget every single time, right? The IT leaders are articulating that this new equipment, hardware, technology is going to bolster the organization's operational effectiveness versus
what they have now, which could slow down production teams and things of that nature. There are very few security leaders that can articulate that security is an enabler versus a blocker. Right. And what makes it worse is you have great security leaders that roll into organizations where the previous security leaders weren't great. So now you're fixing a stigma that was set by the previous person that left a sour taste in everybody's mouth.
In the military, people roll over and change so much that commanders forget what the last person was like. So they start every next person with a new outlook or a fresh outlook on the outside is completely different. So I say that's probably the thing.
Samara Lynn (08:33)
Yeah, I can totally understand that. Cybersecurity right now is just frenetic. It's a constantly evolving landscape. As a former CISO as a person in the space currently, what is the current biggest challenges for cybersecurity professionals?
Tim Tipton (08:52)
The current biggest challenge for cybersecurity professionals, one being the manning gap. There is a, I believe, 3.5 million manning gap in cybersecurity. That's global, right? So let's just say a percentage of that being generous for the US, 35%.
Samara Lynn (09:11)
You talking about labor shortage? Yeah.
Tim Tipton (09:12)
Yep.
So with that being said, you see it, especially in organizations like I'm in now at Arctiq right? As a principal security architect, you see the shortage firsthand in organizations. They have copious amounts of tool sprawl. They have users that work in their hybrid workforces, right? I was talking about it yesterday with someone. You have people that are working from
home, you have people that are working from the office, you have people that are working from the lobby of the office, people that are working from the airport, the coffee shop, everything, right? All of that introduces risk. And that risk is growing day by day. It's growing click by click, right? It's growing, you know, second by second. So if we don't have the understanding, the experience, the resources to be able to support that growing change.
It's all that's going to hurt in our organizations, right? The CISOs are being pulled into firefighting, right? Versus being able to be proactive as a lot of them want to be. So with that, it forces them into being more so reactive than proactive. And I'm really big on an ounce of preparation is worth a pound of cure. So.
If they had that time to be able to prepare to be able to automate certain things, I have no doubt that they would, but they just don't have the time to because they don't have the teams to.
Samara Lynn (10:38)
Right. Right.
Tim Tipton (10:39)
So that's one, I'd say another from more so a technical perspective would be AI. And I know that's a buzz at this point, but again, I'm seeing like firsthand that organizations are implementing or integrating AI without having appropriate governance frameworks in place, right?
You can have a single security control in place. You can have a DLP solution in place. You can have, you know, access management or access controls in place, but none of that functions appropriately if you don't have a governance framework in place. You something that explains the ethics, the transparency, the nature of what the AI is used for, right? Who's overseeing it? Who should be using it? What should they be using it for?
what the flow of the data is, what they can and can't put into it. I've seen plenty of times where, you know, we're auditing large language models or, you know, people using chat GPT for certain things. And I'm not a fan of chat GPT too much. But people will drop client data or proprietary data into the public facing version of chat GPT. Right.
Or they'll use copilot to do their day-to-day job, which I see AI as an enabler, right? It can help. It can assist us greatly with the tasks that would take us away from being more so innovative and forward thinking, right?
Samara Lynn (12:16)
I want to be mindful of our time and I'm so thankful to you for this opportunity for the interview. I do want to ask you one last question. For you know, cyber security is probably not a profession that's going to go away any it's anytime, even though there are threats of AI taking over a lot of the human labor. But for a young future IT leader looking to get into that space.
What would be your advice for them to focus on?
Tim Tipton (12:42)
My biggest advice for them top three things right one focus on the psychological aspect right be able to influence change be able to understand how people think why they think a certain way how to soothe any you know underpinnings of hesitation that they may have from a cyber security perspective you know the certifications will help with the foundational understanding of the concepts themselves.
but you still need to do the work on top of that to differentiate you from AI, right? So that way you can work hand in hand with it. AI is not going to do away with cybersecurity. AI is going to make it to where we can focus on the more important things while we have it assist us with taking care of, you know, the more mundane things that drive us into being more insightful and proactive. Second thing would be don't let
any gatekeeping or, you know, turning, being turned down or anything of that nature push you away from wanting to enter the field. You know, I was fortunate I joined the Air Force when I was 17. this field is
Samara Lynn (13:49)
Maybe
Tim Tipton (13:51)
always looking for fresh faces, right? We just have to push, we have to be driven, we have to be able to forecast and find a niche for ourselves, not just find one to fit into. I've always been really big on how can I differentiate myself from the next person because there are plenty of people out there that think that cybersecurity professionals are a dime a dozen and you can find them anywhere.
You want to differentiate yourselves. And then the third thing. I'm not going to say, you know, certification, certification, certifications, even though certifications are big. Have fun, right? Figure out ways to be able to.
push it forward and drive new things without letting it stress you out. Every career would stress you out if you let it. This career field is always changing. It's very dynamic in nature. You need to come into it understanding that and accepting that. The more open you are to that change, the more you can have fun and prepare for changes that may come with certain subsects or umbrellas or arches of this whole domain, right? So have fun with all of
Samara Lynn (14:58)
Well, you are certainly wise beyond your years. And also thank you very much for your service. I think it's very commendable how you made that transition from the armed forces into the private sector and you thriving in this great career. So thank you.
Tim Tipton (15:15)
I appreciate you.