Hubbard Radio Washington DC, LLC. All rights reserved. This website is not intended for users located within the European Economic Area.
On Air: Federal News Network
Distinguished cybersecurity career leads to a Presidential Rank Award
This fed has a long career as an engineer and cyber security practitioner for the Navy and Marine Corps. He reached the Senior Executive Service years ago. Now ...
This fed has a long career as an engineer and cyber security practitioner for the Navy and Marine Corps. He reached the Senior Executive Service years ago. Now he’s on the civilian side of government, as the chief information security officer for the Homeland Security Department. The Federal Drive with Tom Temin talked with this latest recipient of a Presidential Rank Award, Ken Bible.
Interview Transcript:
Tom Temin And I still think of you as the Marine Corps chief information security officer, because you were there so long.
Ken Bible But that’s not a bad thing.
Tom Temin But now you’re at DHS. Well, I guess my first question is, what did they tell you got this award for?
Ken Bible Well I hope it recognizes the continuous or continued service that I’ve had as an executive. You mentioned the Marine Corps contributions or the time that I spent in the Pentagon and really working through the network modernization plan for the Marine Corps, some of the investments that I championed and resilient communications as we were coming out of the land wars and moving into more maritime expeditionary and the tactical cloud, really being a champion for the tactical edge and deployment of cloud technology. But in DHS, I came over in January 2021, which, right as the scope of the SolarWinds incident was really being realized. And I think the focus within DHS was the leadership that I had in the recovery effort and really enduring types of things that we’ve been able to put in place as a result of thinking about that recovery. So things like our need to be able to prioritize cybersecurity investments. So we develop a unified cybersecurity maturity model, which allowed us to look at ourselves at a program component and as a department level in terms of our cybersecurity maturity, and prioritize investments that we’re making. Importantly, to thinking about supply chain risk management, which is really at the heart of what happened in SolarWinds and really catalyzing some discussion about how would we assess our vendors who build systems for us or that provide services for us? So that’s translated into a cyber hygiene assessment that was part of the Secretary’s priority on using our contracting authority to build up American cyber security posture and industry. I think that’s been very profound and impactful. So I’m very proud of that work. And then third, just how we look at ourselves in different ways. So launching the hack, DHS initiatives that we put in place to be able to debug bounties, to bring external researchers in, to look at our systems. And as CIO [Eric] Hysen says, the cheapest insurance you can buy, because now you’re leveraging the power of the external researcher to see what might have been missed when a program was being developed.
Tom Temin All right. And so that implies then, that for all of the stories over the years of cybersecurity breaches, all of the policies released, the laws issued. There is progress in cybersecurity for the federal government.
Ken Bible I think so, yes. The challenge we have, as probably others have talked about, is that we keep on shouting that we need more money for cybersecurity, but we have very few objective ways of measuring whether we actually got what we paid for. And that was really to me, I can’t guarantee that a breach isn’t going to happen, but what I can do is focus the investments that’s being made so that I optimize my chances that I’m going to avoid that breach. Or if I do have a breach, I can contain it rapidly and avoid the loss of data.
Tom Temin And you bring an engineering background, a pretty solid engineering background to this, even though the most recent jobs you’ve had involve a lot of policy, a lot of compliance, a lot of budget planning and so forth. But even in those activities, do you think that the engineering background is helpful?
Ken Bible I absolutely do. I always go back and say that at the heart of my thinking is having an engineering background. My very first job as a nuclear engineer at the former Charleston Naval Shipyard in Charleston, South Carolina really embedded in me this desire to kind of understand and quantify what I was doing, quantify what I’m trying to go achieve as an outcome. And so that discipline of engineering has carried through with me for the entirety of my 39 years as a federal employee, and certainly, the last 10 or 11 as a senior executive.
Tom Temin We’re speaking with Kenneth Bible. He’s chief information security officer of the Homeland Security Department and one of this year’s Presidential Rank Award winners. And the other thing I think maybe that ties in from specifically the nuclear engineering idea is that in that domain, you have to really control your variables. And if one variable changes in one place, you better document it and know what it’s going to mean down the line because of the potentially disastrous consequences. Does that also kind of seems like it should play in cybersecurity also?
Ken Bible I think it does. We certainly look at it or I’ve tried to go look at it through the lens as part of this unified cyber security model, that there are many different aspects, different facets that you’re trying to employ as part of a cybersecurity program. And you’ve got to balance those. And if you take away from one area, you’re exactly right. You’re going to impact a secondary area. And how do you balance that? This is about risk management. It’s not about risk avoidance because there’s always going to be risk. So how do you start to go get some sort of a objective feel for where you’re carrying those risks. And then how do you want to mitigate them where it’s appropriate.
Tom Temin Risk management should lead to disaster avoidance I guess that’s what we mean.
Ken Bible Yeah, that’s exactly right. Exactly right.
Tom Temin And on the issue of public service and the civil service that you’ve been a member of for so long, comments on, what does it take to kind of have a consistent career and consistent motion in what can be pretty heavy waters sometimes.
Ken Bible To me, it’s always been about staying curious. I talk about this sometimes with students or very frequently with students, that the job that you end up in hasn’t been invented yet. And that certainly was true for me. I mean, Steve Katz just passed away. He was the first CISO or credited as being the first CISO in history. The role that was 1990 something. I started my career in 1985. The role that I’m in didn’t exist. In fact, much of cybersecurity was still very nascent, wasn’t really a big construct in people’s minds when they were using technology back in the 80s and 90s. So this is about staying curious, being able to learn new things as you go along in your career, not being afraid of learning those new things because the government provides opportunities at a very early level in your career to take on a tremendous amount of responsibility. I’ve seen it in my career, and we’re seeing it certainly with the new cyber talent management system that DHS has put in place. These entry level candidates that we’re bringing on board bring tremendous amounts of experience from other work that they’ve done, and they can come in on the ground running and be able to contribute to the cybersecurity mission of the department. And they’re curious. That’s the key. Stay curious, stay willing to learn.
Tom Temin And as CISO of DHS, with its many components, that seems to be a perennial challenge for people that have agency wide or department wide jobs at a place like DHS, when all the components have a great deal of autonomy and budgets and their own CISOs, what’s the best advice for managing that for people that might be headed to that SES level?
Ken Bible Well, it goes back into the executive core qualifications. One of the key executive core qualifications in my mind is building coalitions. And how do you bring people together in terms of how to govern? I’m extremely proud of the CISO Council that I’ve been able to foster in DHS, because it’s the CISOs from all of the components, and that’s not me making a decision unilaterally for the department. I’m the CISO for the Department. I cover the entirety of the department, not just headquarters or management, but I have the counsel of these CISOs from all across the department. And these are smart folks, and they provide extremely good advice and collaboration as we think about how to do things department wide. I would say, going back to the reason perhaps, that I was nominated for the PRA is also that piece of how do you make decisions? How do you govern? And it was very important to me coming over from the Pentagon to bring those constructs of how do you build a team, how do you build that decision making capability for the department? And I think we’ve got one of the most effective councils out there that I’ve seen anywhere in government. I’m extremely proud of that having been able to bring that together and lead that group through some pretty major decision over the last three years.
Tom Temin And if you look at your career [ Space and Naval Warfare Systems Command (SPAWAR)] and Navy and Marine Corps and Homeland Security Department, there is one thread and that is big and bureaucratic, and not because they’re evil, but just because bureaucracy goes with size more than with domain. At some point, would you ever like to work for maybe a small hardware store?
Ken Bible Well certainly being involved in smaller scale work has some appeal. I mean, I think that maybe regional the challenge with having been and performing and working at a federal department level, the third largest federal department, is that you really have a desire to see that impact. You really desire to see what your impact is on the missions of something as large as DHS. DHS, across its different components, interacts with the public more than any other federal agency in the government. It’s kind of hard to kind of say, well, I don’t want to do that anymore or to impact that kind of a mission. It’s been very rewarding and humbling to be part of an organization that has that kind of mission.
Tom Temin So you won’t be like [Lyndon B. Johnson] LBJ leaving the White House and running his ranch and four ranch hands as if it was the White House, huh?
Ken Bible I don’t know, I have two toy poodles that might want to weigh in on that. They might just want to have my attention full time. But I think I want to be able to continue to contribute and have an impact, whether that’s helping and governance in some fashion in corporate or being able to advise and continue to contribute. I think that goes back to once you’ve built this mindset of curiosity and wanting to learn, that doesn’t stop. So I think to me, I gotta eat my own dog food there. If I say that’s an important characteristic, let me live that mission.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED
