Greg Touhill may have, at this moment, the hardest job in government.
America’s first chief information security officer (CISO), Mr. Touhill, inherits a federal cybersecurity landscape that faces serious challenges. (ISC)² studies such as the Federal Cyber Executive Survey conducted in March with KPMG show that about 7 out of 10 federal cybersecurity executives and the contractors they work with think the federal government as a whole can’t detect cyber attacks, for example.
How can our new CISO reverse that gap in capabilities, perceived or real? By getting out from behind his desk and knitting together the nation’s various information security regimes into a cohesive, thoughtful whole.
Touhill is going to be in the best position to coordinate our efforts across all the nation’s civilian agencies. By engaging with cybersecurity leaders across government, he can foster a relationship of trust and openness within the government that will make sharing tools, disseminating lessons learned and building wide-ranging strategy easier.
That coordination will also involve improving the technology guarding our nation’s networks. The federal CISO, on whose shoulders rest an enormous responsibility for protecting our digital borders, is uniquely situated to champion a new way for the federal government to acquire and implement new technology across the board.
Today, the process for acquiring new technology is broken. With Touhill’s help, it won’t magically improve to perfect overnight — but it could certainly be improved.
Technology, though, is only one part of the picture, as Touhill himself recently pointed out.
“Cybersecurity isn’t about technology,” he recently told attendees of the Billington Cybersecurity Conference. “If we become fixated on the technology itself and not be focused on the strategic impacts of risk and the like, we’re missing the boat.”
While remaking the nation’s way of approaching cybersecurity, Touhill doesn’t have to reinvent the wheel. In some ways, simple fixes can go a long way: evolving how our agencies think about the problem at hand by focusing on risk, breaking bottlenecks, improving processes, and adding technological expertise.
In the lane of “easy wins,” it will be vitally important to leverage the good work that our cyberdefenders have done for years. Cyber hunting teams at the Department of Homeland Security (DHS) should benefit from the years of work done by the National Security Agency (NSA) in a similar capacity, for example. By centralizing and helping disseminate hard-earned wisdom, the new CISO would quicken cybersecurity improvements.
With that work in place, our new CISO will be in great position to build bridges between government, academia and the private sector in pursuit of the next generation of workers the government desperately needs. The drive for civilian information security talent in the federal government will have a clear champion and spokesperson for the first time, offering a new opportunity to re-engage the partnerships built by institutions like the National Initiative for Cybersecurity Education and the Department of Defense.
Finally, we should all be careful to measure the impact of the nation’s first CISO in ways that the new office actually controls.
Our knee-jerk reaction to look for fewer breaches isn’t the most useful approach. Hacks are going to happen even with the best digital defenses. Instead, we should evaluate how effectively we react when the inevitable occurs. Can we root attackers out of our networks faster? Can we reduce the number of records affected, on average? Can we keep breaches away from our most important national data?
To this end, Touhill is already signaling an approach that will get America’s cybersecurity moving in the right direction: toward focusing on risk.
“Our entire national prosperity is now interwoven with information technology,” he continued, “but you can’t defend everything equally. You have to defend what’s really important. Across our society, our business community, and our government, we have to have better situational awareness. We need to be [reorienting] ourselves toward the risk discussion and then the rest falls into place.”
I couldn’t agree more. An orientation toward managing risk versus seeking silver bullet solutions is a great place to start — even if there are miles to go from there.
Godspeed, Mr. Touhill. We’re rooting for you.
Dan Waddell, CISSP, is the Director of US Government Affairs and the Managing Director for the North America Region of (ISC)² . You can follow him on Twitter @DanWaddellCISSP.