The Office of Personnel Management hired its first CISO in June 2016. This followed the announcement that a federal...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
CISO was hired in September 2016. However, the federal CISO resigned after only four months on the job. What affect does this have on the U.S. cybersecurity posture? What role will the federal CISO, if replaced, play considering the tough situation the OPM and other agencies are in after recent massive data breaches?
On September 8, 2016, retired Brigadier General Gregory J. Touhill was named as the first Federal Chief Information Security Office (CISO) for the entire U.S. federal government. Grant Schneider was also named as Acting Deputy CISO in the same announcement. Then on January 29, 2017, following the inauguration of President Donald Trump, Greg Touhill resigned after four months of service.
The federal CISO's main function is to manage all other government agency CISOs and security programs. There have also been CISO positions assigned at other U.S. agencies, but are so many CISO positions necessary?
In October 2016, the Bureau of Labor Statistics reported that the federal government had 22.235 million employees. The U.S. government is very different from the private industry. The bureaucracy is a pedantic nightmare, but much like the Department of Homeland Security was established to oversee several existing agencies -- such as the Transportation Security Administration, Secret Service, Federal Emergency Management Agency, U.S. Coast Guard and others -- having a federal CISO makes sense.
To be effective, the federal CISO position needs to manage federal governance, cross-agency budgets, policies, protection programs and architectures. The reporting structure -- in order to maintain collaboration, cooperation and continuity -- should give all agency CISOs a solid line or, at a minimum, a dotted line relationship to the federal CISO. This will ensure essential independence of any influence from IT or agency heads and legal authority to take punitive actions for policies, procedures and protections measures if not deployed or adhered to.
In his farewell blog, Touhill stated that the U.S. cybersecurity posture did not need more policies but needed to execute current polices and possibly eliminate ones no longer effective or out of date. During his short tenure as federal CISO, Touhill implemented multifactor authentication on nearly 99% of privileged user accounts by the end of 2016. He also stated that the U.S. needs to improve its cybersecurity risk management posture, and better its architecture so it's focused on shared services capabilities rather than on how it is organized. It also needs better leverage on cloud computing, and periodic risk assessments across each department and agency.
Weeks before Touhill stepped down as the federal CISO, then President-Elect Trump, assigned Rudy Giuliani, former New York City mayor, as Cyber Security Advisor on January 11, 2017. On February 2, 2017, President Trump also removed Cory Louie as White House CISO. Having a non-cybersecurity professional now in charge of the U.S. cybersecurity posture appears injudicious to many cybersecurity experts -- especially since there appears to be no plans to replace Touhill or Louie.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn more about why a federal CISO is necessary for the U.S. government
Find out how chief data officers affect the role of CISOs in the enterprise
Read what one CISO thinks about the role CISOs play in enterprises
Dig Deeper on Government IT Security Management
Related Q&A from Mike O. Villegas
Privacy and information security can often be at odds with each other in enterprises. Expert Mike O. Villegas explains how C-levels can help to get ...continue reading
Effective CISO communications are key to fostering a healthy relationship with the cybersecurity staff. Expert Mike O. Villegas reviews some ways to ...continue reading
Enterprises are advised to start reporting ransomware attacks, but are there risks? Expert Mike O. Villegas discusses whether organizations are ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.