MES IT Leader Spotlight Series: Tim Tipton, From Air Force CISO To Private Sector

MES IT Leader Spotlight is a series featuring midmarket IT leaders – their backstory, their biggest successes and challenges, their day-to-day roles, and even advice for their peers. In this edition, the spotlight is on Tim Tipton, principal security architect at Arctiq.

(Tim Tipton, Princial Security Analyst, Arctiq)

Tim Tipton currently serves as principal security architect at Arctiq, a managed service provider that is listed on MES Computing’s sister site, CRN’s Managed Service Provider (MSP) 500 list in the Elite 150 category for 2025.

Tipton has also served several stints as a CISO, holding the position while serving in the Air Force and then moving into a private sector role as CISO. He holds several security-related certifications including Security+, CAP, CASP, C|EH, PMP, GPM, and CISSP.

MES Computing spoke with him about the differences between working in cybersecurity in the military and private industry, his biggest success to date, and the major challenges cybersecurity professionals currently face.

Talk a bit about your background.

I was in the Air Force as a CISO, it was more so my final duty station, while I was in Washington, D.C., I was stationed at Bolling Air Force Base.

I made sure that [we] complied with the NIST risk management framework. Made sure the ATOs [authorizations to operate] go off without any worries. Make sure nobody loses network access.

I loved it because the best thing about the Air Force is there’s always that sense of urgency.

How did you make the transition into the private sector?

I took my certifications, I took my experience and everything, and then I was like, let’s see what the private sector has for me.

The SkillBridge program is an amazing program that the DOD has in place specifically for transitioning service members. Transitioning service members have up to 180 days before their separation date to where they can do an internship with a company that allows them to refine their skill sets and prepare them for life outside of the military.

And the company that initially reached out to me about the SkillBridge opportunity, it was 7 Eagle Group, a guy by the name of Jordie Kern, super awesome guy. He was the founder of 7 Eagle Goup. He reached out to me and told me that there was this company named Vipr SOC ... that was looking for a cyber security analyst.

[While there] I developed our audit and assessment arm, our vulnerability management arm, our threat management arm ... penetration testing, blast radius reconstruction for incidents, forensics analysis.

But after I joined Vipr SOC ... Jay Sheehan, who’s a really good friend of mine now, was like, ‘Hey, you want to be my CISO?’

Were you always interested in the cybersecurity space, or did that interest develop in the military?

I’ve found very early on that I’m a creative person, I’m a music producer, I’m an author, I do a whole bunch of different stuff. I always wanted something that, in a sense, colored inside the lines or was easily defined or easily explained.

You can’t easily explain music, it’s more an emotion and a feeling. You can’t easily explain art because it’s something that just naturally happens. But with cybersecurity, there’s an explanation for everything, no matter how dynamic or nonlinear the environment is.

What’s the biggest difference between working as a CISO in the military versus the private sector?

The biggest difference is in the military there is no real pushback or stopping [a] change from happening. It has to happen because this is a mandate that came down from who oversees our network, or direct mandate from the president.

That differs from the outside greatly, because a single person on an executive board or in the C-suite, can stop one of the most important controls from being implemented within an organization.

[Then] the Air Force pays, the military pays thousands of dollars for a single toilet seat. Security teams can’t even get a couple thousand for budget, right? A lot of the time, security teams, their budget is rolled in with the IT budget, and whether we want to accept it or not the IT budget is going to take precedence or priority over the security budget every single time.

What is your biggest career achievement to date?

Being able to help people understand how to influence change at an organizational level based off of different personality types and character traits within C-suite, users, executive boards, directors, managers, all of those different types of roles, the stressors that we face as cybersecurity professionals; how to identify them, how to be able to help your team get through those, overcome those, and thrive.

What are the current biggest challenges cybersecurity professionals currently face?

I’m now at Arctiq as the principal security architect. You see the [labor] shortage firsthand in organizations. They have copious amounts of tool sprawl. They have hybrid workforces. You have people that are working from home, you have people that are working from the office. You have people that are working from the lobby of the office, people that are working from the airport, the coffee shop, everything, right? All of that introduces risk.

Another [challenge] from more a technical perspective would be AI. Organizations are implementing or integrating AI without having appropriate governance frameworks in place. You can have a single security control in place, you can have a DLP solution in place. You can have access management or access controls in place, but none of that functions appropriately if you don’t have a governance framework in place, you need something that explains the ethics, the transparency, the nature of what the AI is used for.

What’s some advice you would give for those looking to enter the cybersecurity field?

My biggest advice ... focus on the psychological aspect. Be able to influence change, be able to understand how people think, why they think a certain way, how to soothe any underpinnings of hesitation that they may have from a cybersecurity perspective.

Certifications will help with the foundational understanding of the [security] concepts themselves, but you still need to do the work on top of that to differentiate you from AI so that way you can work hand in hand with it.

AI is not going to do away with cybersecurity. AI is going to make it to where we can focus on the more important things ... assist us with taking care of the more mundane things that drive us into being more insightful and proactive.

[Also] don’t let any gatekeeping or being turned down, or anything of that nature, push you away from entering the field. I was fortunate. I joined the Air Force when I was 17.