Skip to content

An interview with Tony Scott, former CIO for the US Government - Part one

13 min read

Tony Scott, the third CIO of The United States Federal Government in the nation’s history, is one of the world’s foremost security and IT experts. Prior to his tenure as US CIO, Tony was the CTO at General Motors, and CIO at Walt Disney, Microsoft, and VMWare, he now services as Chairman of The Tony Scott Group and he’s also currently a member of the ColorTokens board.

Tony recently joined Bridgeway and ColorTokens for a webinar focusing on Navigating the Zero Trust Journey (you can watch that here). Keely Brooks, Marketing Manager, and John Airey, Business Unit Director at Bridgeway caught up with Tony shortly after the webinar for a two-part blog series, the first focusing on Tony Scott's history, with his top tips and advice on how to become a CIO.
Keely: As someone who has achieved unbelievable success in your career, is there anything you would have done differently?
"I think when I look back over time, one of the things I realise is that early on in your career, you may be too hesitant to take certain actions. Whether it's people decisions, technology decisions, or something else.
As a technologist, you're always wanting more information, and sometimes that causes a slow reaction. When I look back, I now realise that whilst I did end up making good decisions based on the data that was available at the time, my instincts all along told me that I could have probably made those decisions much quicker.
I think with experience, leaders can often act on instinct more rapidly than earlier in their career, because they have the benefit of experience that lets them feel more confident that if I do X, Y will be the result.
So that's probably one of the biggest learnings I've had, act sooner rather than later. Time is usually your enemy on especially big decisions.
The rule I've always had is, you can sleep on it overnight, but if you sleep on it for a week, it's too long. I was also trained as a lawyer, so part of the lawyer training is you mentally look at things from multiple angles. You look at what the pro and the con is for everything, what would I do if I were arguing this case, either as a prosecutor or as a defendant of the action? I think it's important to go through that mental exercise, but then at some point, you have to come to a conclusion. I like to do that, I like to look at different sides of something, ponder it just a bit, and then make a decision.
Sometimes making that decision is also in what will I do if I turned out to be wrong? What are the next two or three steps that I would take? So, thinking longer-term is also a part of that process.
Sometimes you learn by making a decision and getting some feedback and data, and then it's like steering a boat.
There's wind and there are waves, all of this alters your course as you go through that journey, and you have to take small corrective steps pretty much all of the time."
Keely: You spent the most recent part of your career at household names, but what was your first job? If it was different from a role in technology, what was it?
"Well, my very first job was working as a recreation leader for the local parks and recreation department. I did that kind of work for several years, culminating in what we called juvenile delinquent teenagers at the time, but now they're called at-risk youth. I was a counsellor for at-risk youth, taking kids backpacking and skiing and getting them out of the city environment into a more wholesome environment.
My first tech-oriented job was working for Myriad Corporation at a time when they were in the theme park business, they had two parks called Myriads. We purchased some Apple II Plus computers to help do a better job of scheduling labour and forecasting attendance. So I was part of a team that developed software on those two business problems using Apple II technology at the time and that’s where I learned to write software.
My role on the team was really to appropriately characterise the business problems we were trying to solve in a way that could be reduced to software. I'll say that set the hook in me and convinced me that software was the future. At this time, I also met Steve Jobs and Steve Wozniak and it just launched a whole bunch of fun stuff!"
John: Do you remember the first time you saw the results of something you'd coded?
"Sure, the first example was again at Myriad, we were using a timeshare program at the time, from Computer Science Corporation to try to schedule labour and it took us about six weeks of trial and error with the Apple II. Part of this being me just coming up the learning curve in terms of coding and understanding what a computer like this could do. But after about six weeks, we were regularly matching or improving on the performance of this Computer Science Corporation software for scheduling labour.
When we projected out what we could save, it was hundreds of thousands of dollars in savings, if we could really get this fine-tuned. Of course, that provided great motivation to keep going."
Keely: If there was one piece of advice, like a golden nugget piece of advice you could give to any budding CIOs who are just leaving school/college/university, what would that be?
HubSpot Video
"I think a mistake a lot of people make early on is to focus too narrowly. I've found that while focus is important, it's also a really good idea to explore a little bit and learn about some of the adjacent disciplines that ultimately will make you successful. So, in my own case, I started off literally writing software.
You could have called me a programmer and I could've just done that, but I quickly got interested in the operational side of things like ‘how do you keep this stuff running? How do you make it easier for the end-user to interface with the software that you've written?’.
As I went through that discovery journey, it helped me form a better picture of what the more strategic issues were going to be in the context of problems that I would deal with later on. So, after a few years, I understood development, operations, maintenance, sales, and marketing, and a whole bunch of some of the legal and patent issues related to software.
I think that served me well later on because I had a greater awareness of the total context that I was working in."
John: How would you recommend somebody of that sort of age and stage in their career gets exposure to all those different things? Do you have any advice on how somebody would manage to get exposure to different disciplines?
HubSpot Video
"I think the first one is work hard. If you're successful in what you're doing, you're more likely to get the attention of your boss and other people in your sphere. I’d also say, let your desires be known in a positive way, but the first one is to do a good job and work hard at what you're assigned. When I've had people working for me and they're a hard worker and they're really excelling at what they're doing and they come to me and say they’d like to try some other things, I'm really willing to help that person do it.
If on the other hand, somebody comes in and they're failing at what they're doing, and they don't have a really good argument for why I should give them a different opportunity, it's going to fall on deaf ears."
Keely: In one of your previous interviews, we read that the OPM breach was one of the worst days of your career. We'd be interested to hear what one of the best or the best day of your career was if you can pick one!
"It's really hard to pick one, but the best memories I have are really the people memories, some of the great teams that I've had a chance to work with and seeing those people succeed in their careers, those are the rewarding moments.
Now as sort of a senior statesman, if I can call myself that, it's great to reconnect with people I've worked with over the years and see their own success in the world.
As for moments, I met a bunch of famous people working at Microsoft with Bill Gates, I got to meet Warren Buffett, and of course, meeting President Obama.
In fact, I've met and talked with four different presidents over my career, those are some of the celebrity things that stand out, but the real joy comes from the people that I've worked with and the contributions they've made, both to my success, but now hopefully, my helping their success as well."
John: Is there anything that you could see that’s been common amongst those really good teams that you've worked with?
"I think it's the trust that comes when you have a good team.
You assemble a team that's got different skills, different points of view, different biases. We're all humans and we all have different strengths and weaknesses. When you get a good team together, you can develop trust, but you can also understand what everybody else in the team is good at and conversely not good at.
As a leader, you can then form a strategy or plan of action that really leverages the strengths of the team, and where there are weaknesses, work around those in some meaningful way. That’s been the fun part of being a leader of a high-performing team is, if you have that trust and you have the experience with them, you can do amazing kinds of things."
Keely: What are your top tips for making rapid change within a business?
HubSpot Video
"Well, it's probably an old cliche, but don't waste a good crisis. All organisations have crises from time to time, sometimes you can't wait for one to occur, and sometimes you have to actually create a mini-crisis of some kind by pointing out to people in the organisation, something that they're not seeing yet, but may be obvious to you.
I think that don't waste a good crisis also goes along with, create a sense of urgency around the things that you've prioritised and that you're going to work on, and if they're not urgent, why work on them at all?
Every organisation I've been a part of either had some very visible crisis almost at any point in time or had one working that they were maybe not fully aware of, but certain people in the organisation knew was coming. I think those are calls to action, not only for aligning organisational effort but also a time of transition where in many cases, technology can be a big leveraging factor to make the organisation better.
I'll give you just a couple of quick examples of those kinds of crises. One of the most memorable was at General Motors when we had a 5+ year product development process.
We could see our competitors were shortening that cycle very quickly, and we realised that at the end of the day, we're in a fashion business. If you could tell me what fashion is going to be five years from now, I'll be a happy investor, but the reality is you can't see five years ahead.
You can see a year or two ahead, maybe, so it became our mission to create an 18-month development process. It took us a couple of years to do it, but we ended up in a situation where we could think of an idea, design it, engineer it, get it over and test it and then get it over to manufacturing to start producing that product in 18 months.
Another example of rapid change was whilst I was at Disney. At the time, we were making tons of money selling DVDs, CDs and other forms of physical media, but we could see streaming coming around the corner and that was going to completely change the business model and put everything on a tilt.
We did not have the systems in place to be able to handle that, and we knew it was going to come quickly, so that created a sense of urgency to do what you need to do to survive. Every organisation I've ever been in has had one or more of those kinds of seminal moments where you either seize it and prosper, or you go the other way, and that's not fun."
Keely: How would you encourage a large organisation like that to innovate?
"Well, I think innovation is a slightly different thing than responding to some of these crises. I think of innovation that scales primarily when I think of large companies. I think there are many ways you can sponsor start-up ideas.
When I was at General Motors, for example, I had responsibility for our innovation process, when it came to IT things, and the lesson I learned was you have to start a lot of different things, give them a little time, water and fertilizer to grow and see what they can become.
However, at some point, you have to say, ‘this thing either has promise and we're going to continue to invest in it and scale it up to our broader institutional needs, or we're going to kill it’ because it's just not ready for prime time and now we have other priorities that we want to put our resources and energy into.
And so, I had a process there where every innovative thing we were doing had a beginning, a middle and an end, and the end decision was we're either going to double down on this and go like crazy and scale it to our institutional need, or we're going to shoot it and go to something else.
And frankly, there were a lot of good ideas that I said maybe in 5 or 10 years, this is going to be really good, but we've got to kill it now because it's just not something that is useful to us in the near term. It's brutal, but I think the benefit was I could be very clear with people about what our success criteria were going to look like, and it set a pretty high bar for them.
Sometimes it was achieved, most of the time it wasn't, but that was ok. And for me, the biggest part of that whole process is capturing the learning part of our kill it process was also, ‘what did you learn by doing this?’
Sharing that with the organisation was just one of the side benefits of creating an innovative culture in that organisation, that’s a nice thought."
Keely: If you could wave a magic wand to improve the cyber security industry in one area, where would you like to see improvement and what does that improvement look like?
"I think there's a couple of things that I would do, clearly software is king in the cyber security world. There's been a lot of talk about ‘software bill of materials’, which is ‘what goes into a piece of code that's running? Where did it come from?’ Many software developers have now signed on to the notion of creating‘software bill of materials'.
However, we need a spec and a standard to make those digitally inspectable, so that machine learning and AI can quickly scan those software bill of materials and understand when we might have a problem or something in that bill of materials needs deeper inspection. It’s really hard to do that today in any sort of useful way, in my opinion.
We need a standard around that, that is respected by everybody all around the world, I think that would be a big step.
The second suggestion is going to be a little bit more controversial probably, but in almost all areas of life, producers of products that fail or have problems that create harm in some way, are liable. There are product liability laws for almost everything we buy as consumers. To some degree, if you get shocked by an electrical appliance, harmed by a drug that you take, or there’s a defect in your automobile, for example, there's product liability that's attached to that.
Somehow the software industry has largely and completely escaped that, and big software producers are among the most profitable businesses there are. The argument has been made that product liability would stifle innovation, I don't believe that to be true, but I do think it would encourage more thoughtful engineering and a little more care in terms of how some of our products are produced and distributed and so on.
So, I'm in favour of some form of software product liability legislation or framework that would encourage that."
John: How would you see that playing out on a global scale, Tony?
"Well, I think the US has an opportunity to be a leader in this space. As an example, the EU took the lead in some of the privacy stuff. That's now commonly accepted around the world and is served as a model for much of the legislation that's taken place.
I think the US because we're the source of a lot of software, and we have an opportunity to be a leader in that space and pave the way. You just have to make sure to have a lot of conversations with your counterparts all over the world to get agreement on some sort of framework, and in terms of how that would work as the legal systems around the world are quite different, in a lot of ways.
Therefore, what works in one country might not work in another country, but the core principles are things that at a high level could be agreed on and then local law adopted or adapted in some way to make it work for that region or that country. If we were able to actually put something like that into practice, what percentage of threats or attacks do you think would actually be faulty just by being able to do that in the first place?
I think it would do a couple of things right now, if there's a defect in software that you're running and the company knew about it and didn't inform you of it, that in the automobile world would be a recall. So I think you should have some liability if harm is caused by software defects and they should help pay for some of the costs of remediation and fixing it.
That's true whether it's a consumer or a business, I think there should be some culpability there and then some form of recovery. A lot of the details would need to be worked out, but to say it's just a free lunch and you can write whatever bad software you want and just throw it on an unsuspecting public, I think is a bridge too far, but it's where we are.
We wouldn't accept it with motor cars or washing machines or anything else, but for some reason, we do with software. I say that even with the knowledge that in general software quality overall is improving.
It's not like we're sitting still, but there are still some glaring examples of cases where great harm is caused and there's nobody taking any responsibility for it."
Keely: Would you like to give us your take on the Colonial Pipeline hack? Do you think they were right to pay the ransom?
"The question of whether to pay the ransom or not, I think rightly so needs to be a decision that every company makes or any organisation faced with that, and it's a business decision at the end of the day.
It's a question of ‘is the cost to do X greater than the cost to do Y, and what gets us back into a normal state of business more quickly?’ Particularly when there's a great public impact as there was in the Colonial Pipeline issue. That said, I hate the idea of paying a ransom, I think it's encouraging criminals to keep up with their bad behaviour.
In general, I don't like the idea, but I understand that it's a business decision that organisations have to make and should be allowed to make on an individual basis.
The interesting thing about the Colonial Pipeline hack is that they shut down the pipeline where there's a lot of OT kind of technology, and that's not where the exploit occurred.
The exploit occurred in their business systems, and they were afraid that it might migrate over to their OT systems, so they shut everything down in an abundance of caution, which I think is absolutely the right decision. Here in the US, we have many areas in our electric grid, gas distribution pipelines, water distribution, dams, and other kinds of things where a lot of that OT technology (the stuff that actually runs the equipment in these places) is pretty vulnerable. So, I think you're going to see a lot more of this kind of thing, and it concerns me greatly. I think we need to double down on our efforts to better protect those systems."
Keep an eye out next week for the second part of this two-part blog series which will go into further detail about why Tony thinks zero trust is the future and how the west can improve cyber defence capabilities. Sign up here to receive notifications when we post new blogs.
For more insight from Tony, as well as a live visualisation demo from ColorTokens, you can watch our recent webinar 'Navigating the Zero Trust Journey with Tony Scott' on-demand now:
Watch Now
You can also fill out our contact form here to have an informal chat with someone from the Bridgeway Team to find out how we can help you.

Latest Blogs

Visit the blog

Overcoming the Most Pressing Challenges CISOs Face Today

It’s no secret that CISOs have some of the toughest roles in any organisation, especially with the...

Read More

How to Calculate a Return on Investment (ROI) of Cyber Security

Cyber security is a minefield for many, not just in terms of its intricacies and ever-changing...

Read More

6 Ways Cyber Security Can Be Improved at Your Company

We know the old ways of working, well, don’t work — and they call for innovative, forward-thinking...

Read More

7 Business Growth Benefits of Cyber Security You Should Know

All organisations understand that cyber security is now an essential expense, helping companies cut...

Read More

The Pros and Cons of a Cost-Benefit Analysis Approach to Cyber Security

The cost-benefit analysis approach to cyber security is perhaps the most popular in helping prove...

Read More

Let's Talk

Get on a first-name basis with the Bridgeway team. Let’s chat about your organisational objectives and any critical cyber security concerns you need to cover.

Let's talk