The U.S. Federal CISO and His First 100 Days

In September 2016, the White House announced the appointment of retired Brig. Gen. Gregory J. Touhill as the first federal chief information security officer (CISO). Touhill’s job is to drive cybersecurity, planning and implementation across the government. This announcement is presented as the culmination of several actions undertaken by the executive branch to enhance the cybersecurity posture of the U.S.

Introducing the First Federal CISO

As the new CISO puts his hand on the tiller of federal information security needs, the cybersecurity ship already has four specific initiatives aboard, all of which were initiated during the federal fiscal year 2016. These are the:

Shaping National Cybersecurity Strategy

In July 2016, the administration issued its first Federal National Strategy on Cybersecurity. The strategy included four key initiatives, all of which focus on national cybersecurity issues:

  • Expand the cybersecurity workforce through education and training;
  • Recruit the nation’s best cyber talent for federal service;
  • Retain and develop highly skilled talent; and
  • Identify cybersecurity workforce needs.

In an open letter to Touhill, the (ISC)2, an international nonprofit membership association focused on inspiring online safety, suggested the new federal CISO focus his efforts on a few key areas, including:

  • Cyber versus general workforce needs: It’s important to consider the needs of both the cyber and general workforce when devising security policies.
  • Improving awareness: Increased awareness and vigilance will lead to better cybersecurity practices.
  • Effectively addressing the shortage of talent: The role of the cybersecurity professional is evolving due to the IT skills gap, demand for specialized training, industrywide emphasis on risk management and other factors.

These recommendations should interweave nicely with the foundational direction provided by the White House, specifically the efforts of the CENC. The CENC’s 12-person, bipartisan commission, under the leadership of Thomas Donilon, President Barack Obama’s former national security adviser, and Sam Palmisano, the former chief executive of International Business Machines Corp.

The aim of the CENC will be to create a list of actions that both government and private organizations can take to improve the country’s overall security posture, Donilon said at the CENC’s public meeting on Nov. 21. The report will be reviewed for 45 days — through Jan. 15, 2017 — and then made public.

From the Horse’s Mouth

On Nov. 16, Touhill wrote a blog post, titled “My Priorities as the First U.S. Chief Information Security Officer,” detailing the five initiatives on which he intends to build the CNAP. According to this article, he has plans to do the following:

  1. Harden the workforce. Embrace the Cybersecurity Workforce Strategy and, in doing so, increase awareness among the nation’s cybersecurity workforce and employ best practices in protecting citizens’ information.
  2. Treat information as an asset. Identify the data that needs protecting and protect that data appropriately.
  3. Do the right things the right way. Use industry best practices to reduce the likelihood of cyber incidents and data breaches. Then practice and perfect how data is protected.
  4. Continuously innovate and invest wisely. Outdated equipment and processes allow for vulnerable infrastructure. Leveraging the Information Management Task Force (IMTF), efforts will be made to modernize antiquated systems.
  5. Make informed cyber risk decisions at the right level. Make sure the information required to make decisions is being delivered to the decision-makers.

The first 100 days of the federal CISO’s tenure is ambitious. With the support of private sector expertise, academic resources and the impetus of the IMTF, however, the CISO will march into 2017 with plenty of momentum.

Share this Article:
Christopher Burgess

CEO at Prevendra

Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security strategies, be they for your company, home or family. Christopher co-authored "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century" (Syngress, March 2008) and authored the e-book, "Senior Online Safety" (Prevendra, March 2014) and is the voice behind the website, "Senior Online Safety." Prior to the founding of Prevendra, Christopher held a variety of private and public sector positions, which included, chief operating office and chief security officer of a big data analytic company, Atigeo; Senior Security Advisor to the CSO of Cisco, a Fortune 100, and 30+ years within the Central Intelligence Agency. The CIA awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher resides in Woodinville, WA with his family, two dogs and two horses.