The U.S. Federal CISO and His First 100 Days
In September 2016, the White House announced the appointment of retired Brig. Gen. Gregory J. Touhill as the first federal chief information security officer (CISO). Touhill’s job is to drive cybersecurity, planning and implementation across the government. This announcement is presented as the culmination of several actions undertaken by the executive branch to enhance the cybersecurity posture of the U.S.
Introducing the First Federal CISO
As the new CISO puts his hand on the tiller of federal information security needs, the cybersecurity ship already has four specific initiatives aboard, all of which were initiated during the federal fiscal year 2016. These are the:
- Cybersecurity National Action Plan (CNAP) in February 2016;
- Commission on Enhancing National Cybersecurity (CENC) in April 2016;
- Information Technology Modernization Fund (ITMF) in April 2016; and
- Cybersecurity Strategy and Implementation Plan (CSIP) in October 2015.
Shaping National Cybersecurity Strategy
In July 2016, the administration issued its first Federal National Strategy on Cybersecurity. The strategy included four key initiatives, all of which focus on national cybersecurity issues:
- Expand the cybersecurity workforce through education and training;
- Recruit the nation’s best cyber talent for federal service;
- Retain and develop highly skilled talent; and
- Identify cybersecurity workforce needs.
In an open letter to Touhill, the (ISC)2, an international nonprofit membership association focused on inspiring online safety, suggested the new federal CISO focus his efforts on a few key areas, including:
- Cyber versus general workforce needs: It’s important to consider the needs of both the cyber and general workforce when devising security policies.
- Improving awareness: Increased awareness and vigilance will lead to better cybersecurity practices.
- Effectively addressing the shortage of talent: The role of the cybersecurity professional is evolving due to the IT skills gap, demand for specialized training, industrywide emphasis on risk management and other factors.
These recommendations should interweave nicely with the foundational direction provided by the White House, specifically the efforts of the CENC. The CENC’s 12-person, bipartisan commission, under the leadership of Thomas Donilon, President Barack Obama’s former national security adviser, and Sam Palmisano, the former chief executive of International Business Machines Corp.
The aim of the CENC will be to create a list of actions that both government and private organizations can take to improve the country’s overall security posture, Donilon said at the CENC’s public meeting on Nov. 21. The report will be reviewed for 45 days — through Jan. 15, 2017 — and then made public.
From the Horse’s Mouth
On Nov. 16, Touhill wrote a blog post, titled “My Priorities as the First U.S. Chief Information Security Officer,” detailing the five initiatives on which he intends to build the CNAP. According to this article, he has plans to do the following:
- Harden the workforce. Embrace the Cybersecurity Workforce Strategy and, in doing so, increase awareness among the nation’s cybersecurity workforce and employ best practices in protecting citizens’ information.
- Treat information as an asset. Identify the data that needs protecting and protect that data appropriately.
- Do the right things the right way. Use industry best practices to reduce the likelihood of cyber incidents and data breaches. Then practice and perfect how data is protected.
- Continuously innovate and invest wisely. Outdated equipment and processes allow for vulnerable infrastructure. Leveraging the Information Management Task Force (IMTF), efforts will be made to modernize antiquated systems.
- Make informed cyber risk decisions at the right level. Make sure the information required to make decisions is being delivered to the decision-makers.
The first 100 days of the federal CISO’s tenure is ambitious. With the support of private sector expertise, academic resources and the impetus of the IMTF, however, the CISO will march into 2017 with plenty of momentum.