In September 2016, the White House announced the appointment of retired Brig. Gen. Gregory J. Touhill as the first federal chief information security officer (CISO). Touhill’s job is to drive cybersecurity, planning and implementation across the government. This announcement is presented as the culmination of several actions undertaken by the executive branch to enhance the cybersecurity posture of the U.S.

Introducing the First Federal CISO

As the new CISO puts his hand on the tiller of federal information security needs, the cybersecurity ship already has four specific initiatives aboard, all of which were initiated during the federal fiscal year 2016. These are the:

Shaping National Cybersecurity Strategy

In July 2016, the administration issued its first Federal National Strategy on Cybersecurity. The strategy included four key initiatives, all of which focus on national cybersecurity issues:

  • Expand the cybersecurity workforce through education and training;
  • Recruit the nation’s best cyber talent for federal service;
  • Retain and develop highly skilled talent; and
  • Identify cybersecurity workforce needs.

In an open letter to Touhill, the (ISC)2, an international nonprofit membership association focused on inspiring online safety, suggested the new federal CISO focus his efforts on a few key areas, including:

  • Cyber versus general workforce needs: It’s important to consider the needs of both the cyber and general workforce when devising security policies.
  • Improving awareness: Increased awareness and vigilance will lead to better cybersecurity practices.
  • Effectively addressing the shortage of talent: The role of the cybersecurity professional is evolving due to the IT skills gap, demand for specialized training, industrywide emphasis on risk management and other factors.

These recommendations should interweave nicely with the foundational direction provided by the White House, specifically the efforts of the CENC. The CENC’s 12-person, bipartisan commission, under the leadership of Thomas Donilon, President Barack Obama’s former national security adviser, and Sam Palmisano, the former chief executive of International Business Machines Corp.

The aim of the CENC will be to create a list of actions that both government and private organizations can take to improve the country’s overall security posture, Donilon said at the CENC’s public meeting on Nov. 21. The report will be reviewed for 45 days — through Jan. 15, 2017 — and then made public.

From the Horse’s Mouth

On Nov. 16, Touhill wrote a blog post, titled “My Priorities as the First U.S. Chief Information Security Officer,” detailing the five initiatives on which he intends to build the CNAP. According to this article, he has plans to do the following:

  1. Harden the workforce. Embrace the Cybersecurity Workforce Strategy and, in doing so, increase awareness among the nation’s cybersecurity workforce and employ best practices in protecting citizens’ information.
  2. Treat information as an asset. Identify the data that needs protecting and protect that data appropriately.
  3. Do the right things the right way. Use industry best practices to reduce the likelihood of cyber incidents and data breaches. Then practice and perfect how data is protected.
  4. Continuously innovate and invest wisely. Outdated equipment and processes allow for vulnerable infrastructure. Leveraging the Information Management Task Force (IMTF), efforts will be made to modernize antiquated systems.
  5. Make informed cyber risk decisions at the right level. Make sure the information required to make decisions is being delivered to the decision-makers.

The first 100 days of the federal CISO’s tenure is ambitious. With the support of private sector expertise, academic resources and the impetus of the IMTF, however, the CISO will march into 2017 with plenty of momentum.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…