Do you enjoy listening to experts discuss their work? Sometimes hearing the subtleties of a person's voice communicates even more than a well-written summary of their thoughts. The spontaneity of intelligent conversation can illuminate a topic in ways that the strictly rational exposition characteristic of a written piece or a carefully prepared presentation may not always achieve. Federal News Radio (FNR) has a resource for anyone who likes to learn from such interviews.

Professor Gil Vega, CISSP, a colleague in (and graduate of) the MSIA program at Norwich University, recently spoke about risk management in his work as director of the Information Assurance (IA) Division of the Immigration and Customs Enforcement Division of the Department of Homeland Security (DHS).

Gil had a distinguished career in the U.S. Army from 1986 to 1991, serving in the military police, including in Desert Shield and Desert Storm; he served as a police officer and detective until 1998 and then became an information assurance specialist in industry and government. He worked for the Library of Congress Office of the Inspector General, the Joint Warfare Analysis Center of the U.S. Joint Forces Command and at the Office of Naval Intelligence before taking on his current role at DHS. He has been teaching in the MSIA program since 2005.

In his roughly 20-minute interview (excluding ads), Gil makes a number of valuable points about risk management. Some of the highlights that can stimulate discussion in any organization:

* Information assurance cannot become information prevention. He says that if his staff tell people “NO” then they have to take responsibility for getting the job done.
* It’s impossible to eliminate all risk. The issue is balancing productivity and rational risk reduction through the effective application of process, procedures and technology.
* He plunged into the real-world details of his organization’s work. His “ICE-101” tour involved participating in every aspect of the agency’s mission. Education, familiarization and indoctrination into the culture are essential to understanding the risks that the people in the organization are facing.
* With the IT security staff’s thorough familiarization with their colleague’s priorities, security personnel can become more like business consultants who offer secure alternatives instead of just blocking proposals.
* The Federal Information Security Management Act (FISMA) is greatly affecting security across the federal government. It is forcing consideration of specific metrics and influencing their plan of action for reducing weaknesses.
* ICE is investing in extensive awareness and training programs, including computer-based training and implementing improved technical defenses using a systems development life cycle process where security is baked-in rather than sprinkled on.
* Security is diversified throughout the organization so that all managers cooperate on improving controls, and upper management take ownership of security rather than seeing it as purely the responsibility of the IA group.
* IA is becoming a multi-disciplinary area with many new programs, but there is still a critical shortage of IA professionals. Recruitment efforts include industry conferences and college job fairs; the key characteristic he’s looking for is an interest in contributing to a significant mission.
* Government employment is no longer stultifying. New investments in government programs are providing exciting opportunities for IA professionals to engage in cutting-edge developments with new technologies and new schools of thought.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.