If ever an organization needed a chief information security officer (CISO) it was the federal government.
Between the Eric Snowden leaks, Office of Personnel Management, and the long, drawn-out saga centered on former Secretary of State Hillary Clinton's email server, the U.S. government was desperately in need of a strong hand on the national cybersecurity tiller.
Starting in Sep. 2016, retired U.S. Air Force Brigadier General Gregory J. Touhill was named as the country's first CISO by President Barack Obama, has been at the helm. Touhill's appointment was part of the Cybersecurity National Action Plan, which also included the Commission on Enhancing National Cybersecurity, the Information Technology Modernization Fund and the Cybersecurity Strategy and Implementation Plan.
“In my new role, I hope to continue shaping the cybersecurity conversation from a technology focus to one that focuses and aligns to risk management best practices,” Touhill wrote in a recent blog post
The Obama administration's choice of Touhill and the creation of the role was lauded by the industry. “There is a very high regard for Gen. Touhill in the industry and it is safe to say it was a good idea to establish the position,” said Larry Ponemon, founder of the Ponemon Institute.
Mark Hutnan, VP and GM of U.S. federal operations at Qualys, noted that Touhill will be instrumental in tying together the disparate cybersecurity teams sprinkled throughout the federal government into a coherent team. "Every federal agency has a CISO that performs independently, and the new Federal CISO role will bridge the gap between each individual CISO. The role is crucial because it enables coordination and collaboration by all CISOs across the federal realm, ultimately broadening communication and improving processes,” Hutnan said.
Despite the praise Touhill is receiving, there is a possibility his tenure as federal CISO could be short lived. As a presidential appointee, it's possible President-elect Trump could replace him. “Given that Gen. Touhill is a political appointment, and the somewhat difficult conversations about cybersecurity during the presidential election, one has to wonder if he will survive through the transition to a Trump White House,” says Tim Erlin, director of IT security and risk strategy at Tripwire.
Touhill recently published a list of priorities that he hopes to accomplish during his first year in office. First among them is to “harden the workforce,” followed by treating information as a valuable asset and implementing best practices, investing wisely in equipment and software and helping leaders make the correct decisions.
“Another important lesson I learned is that it is critically important to have a well-defined and easy-to-understand goal," he said. The nation's cybersecurity goal is simple, he wrote: "To support an open and transparent government where the people's information is protected and privacy, civil rights, and civil liberties are preserved.”Touhill's USAF résumé and military accomplishments run the gamut from obtaining a master's degree in systems management at the University of Southern California, to director, command, control, communications and computer systems, U.S. Central Command Air Force, and director, C4 Systems, Combined Air Operations Center, Southwest Asia to finishing up his career in 2013 as director, command, control, communications and cyber systems, U.S. Transportation Command.