freshidea - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What effect does a federal CISO have on government cybersecurity?

The brief tenure of a federal CISO in the U.S. government recently came to an end. Expert Mike O. Villegas discusses the effect this has on the U.S. cybersecurity posture.

The Office of Personnel Management hired its first CISO in June 2016. This followed the announcement that a federal CISO was hired in September 2016. However, the federal CISO resigned after only four months on the job. What affect does this have on the U.S. cybersecurity posture? What role will the federal CISO, if replaced, play considering the tough situation the OPM and other agencies are in after recent massive data breaches?

On September 8, 2016, retired Brigadier General Gregory J. Touhill was named as the first Federal Chief Information Security Office (CISO) for the entire U.S. federal government. Grant Schneider was also named as Acting Deputy CISO in the same announcement. Then on January 29, 2017, following the inauguration of President Donald Trump, Greg Touhill resigned after four months of service.

The federal CISO's main function is to manage all other government agency CISOs and security programs. There have also been CISO positions assigned at other U.S. agencies, but are so many CISO positions necessary?

In October 2016, the Bureau of Labor Statistics reported that the federal government had 22.235 million employees. The U.S. government is very different from the private industry. The bureaucracy is a pedantic nightmare, but much like the Department of Homeland Security was established to oversee several existing agencies -- such as the Transportation Security Administration, Secret Service, Federal Emergency Management Agency, U.S. Coast Guard and others -- having a federal CISO makes sense.

To be effective, the federal CISO position needs to manage federal governance, cross-agency budgets, policies, protection programs and architectures. The reporting structure -- in order to maintain collaboration, cooperation and continuity -- should give all agency CISOs a solid line or, at a minimum, a dotted line relationship to the federal CISO. This will ensure essential independence of any influence from IT or agency heads and legal authority to take punitive actions for policies, procedures and protections measures if not deployed or adhered to.

In his farewell blog, Touhill stated that the U.S. cybersecurity posture did not need more policies but needed to execute current polices and possibly eliminate ones no longer effective or out of date. During his short tenure as federal CISO, Touhill implemented multifactor authentication on nearly 99% of privileged user accounts by the end of 2016. He also stated that the U.S. needs to improve its cybersecurity risk management posture, and better its architecture so it's focused on shared services capabilities rather than on how it is organized. It also needs better leverage on cloud computing, and periodic risk assessments across each department and agency.

Weeks before Touhill stepped down as the federal CISO, then President-Elect Trump, assigned Rudy Giuliani, former New York City mayor, as Cyber Security Advisor on January 11, 2017. On February 2, 2017, President Trump also removed Cory Louie as White House CISO. Having a non-cybersecurity professional now in charge of the U.S. cybersecurity posture appears injudicious to many cybersecurity experts -- especially since there appears to be no plans to replace Touhill or Louie.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn more about why a federal CISO is necessary for the U.S. government

Find out how chief data officers affect the role of CISOs in the enterprise

Read what one CISO thinks about the role CISOs play in enterprises

This was last published in March 2017

Dig Deeper on Government information security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think the U.S. government needs federal CISOs? Why or why not?
Yes, I do and I think the country is ready for some serious leadership at the Cybersecurity level - we lost it at the CIO level as well.  I know Greg and he did an exceptional job in a short period of time with significant push back.  It's always an easy call to say "do this, and by the way, absorb the cost".  the key here is to build security into the transformation/modernization efforts (some agencies are) and spread the cost of doing the right things over the technology integration and acquisition cycles.  As a retired Agency CISO, I truly understand the challenges of securing the environment and I think we can do better with a central point of guidance (Fed CISO) and common criteria for typical security concerns (NIST document sets).  Where we seem to stray is in understanding that everyone can learn and gain value from a Federal CISO - that leadership is essential - adherence should be rewarded, but failure to follow must have consequence. Accountability would seem to be where we start - funding for programs and resource allocation to support the Cybersecurity program must be a business/mission essential - the Federal CISO can help drive that accountability at the highest levels.