Modern field guide to security and privacy

How America’s first chief information security officer can make his mark

The nation’s first ever chief information security officer (CISO) has a big task — and can make a big impact.

Photo by Ann Hermes/The Christian Science Monitor
LAS VEGAS, NV - August 3: Code is displayed to a crowd Arsenal station where demos are given at Black Hat, a cybersecurity conference in the Mandalay Bay hotel on August 3, 2016 in Las Vegas, Nevada.

Greg Touhill may have, at this moment, the hardest job in government.

America’s first chief information security officer (CISO), Mr. Touhill, inherits a federal cybersecurity landscape that faces serious challenges. (ISC)² studies such as the Federal Cyber Executive Survey conducted in March with KPMG show that about 7 out of 10 federal cybersecurity executives and the contractors they work with think the federal government as a whole can’t detect cyber attacks, for example.

How can our new CISO reverse that gap in capabilities, perceived or real? By getting out from behind his desk and knitting together the nation’s various information security regimes into a cohesive, thoughtful whole.

Touhill is going to be in the best position to coordinate our efforts across all the nation’s civilian agencies. By engaging with cybersecurity leaders across government, he can foster a relationship of trust and openness within the government that will make sharing tools, disseminating lessons learned and building wide-ranging strategy easier.

That coordination will also involve improving the technology guarding our nation’s networks. The federal CISO, on whose shoulders rest an enormous responsibility for protecting our digital borders, is uniquely situated to champion a new way for the federal government to acquire and implement new technology across the board.

Today, the process for acquiring new technology is broken. With Touhill’s help, it won’t magically improve to perfect overnight — but it could certainly be improved.

Technology, though, is only one part of the picture, as Touhill himself recently pointed out.

“Cybersecurity isn’t about technology,” he recently told attendees of the Billington Cybersecurity Conference. “If we become fixated on the technology itself and not be focused on the strategic impacts of risk and the like, we’re missing the boat.”

While remaking the nation’s way of approaching cybersecurity, Touhill doesn’t have to reinvent the wheel. In some ways, simple fixes can go a long way: evolving how our agencies think about the problem at hand by focusing on risk, breaking bottlenecks, improving processes, and adding technological expertise.

In the lane of “easy wins,” it will be vitally important to leverage the good work that our cyberdefenders have done for years. Cyber hunting teams at the Department of Homeland Security (DHS) should benefit from the years of work done by the National Security Agency (NSA) in a similar capacity, for example. By centralizing and helping disseminate hard-earned wisdom, the new CISO would quicken cybersecurity improvements.

With that work in place, our new CISO will be in great position to build bridges between government, academia and the private sector in pursuit of the next generation of workers the government desperately needs. The drive for civilian information security talent in the federal government will have a clear champion and spokesperson for the first time, offering a new opportunity to re-engage the partnerships built by institutions like the National Initiative for Cybersecurity Education and the Department of Defense.

Finally, we should all be careful to measure the impact of the nation’s first CISO in ways that the new office actually controls.

Our knee-jerk reaction to look for fewer breaches isn’t the most useful approach. Hacks are going to happen even with the best digital defenses. Instead, we should evaluate how effectively we react when the inevitable occurs. Can we root attackers out of our networks faster? Can we reduce the number of records affected, on average? Can we keep breaches away from our most important national data?

To this end, Touhill is already signaling an approach that will get America’s cybersecurity moving in the right direction: toward focusing on risk.

“Our entire national prosperity is now interwoven with information technology,” he continued, “but you can’t defend everything equally. You have to defend what’s really important. Across our society, our business community, and our government, we have to have better situational awareness. We need to be [reorienting] ourselves toward the risk discussion and then the rest falls into place.”

I couldn’t agree more. An orientation toward managing risk versus seeking silver bullet solutions is a great place to start — even if there are miles to go from there.

Godspeed, Mr. Touhill. We’re rooting for you.


Dan Waddell, CISSP, is the Director of US Government Affairs and the Managing Director for the North America Region of (ISC)² . You can follow him on Twitter @DanWaddellCISSP.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to