It took seven months to find a suitable candidate to fill the federal CISO position, but after little more than...
four months on the job, retired Brig. Gen. Gregory Touhill has stepped down.
Touhill was appointed as the first federal CISO in September 2016, after the position was created in President Obama's Cybersecurity National Action Plan in February. Although he understood his position was not guaranteed past the term of President Obama, Touhill had said he planned to remain through the presidential transition and that he expected "a full tour of duty."
In his short time, Touhill laid out a plan with five main focuses to improve the cybersecurity posture of the government, including hardening the federal workforce to be more risk aware and better understand responsibilities; treating information as an asset and proportionally protecting high value data; implementing best practices and proper cyber hygiene; promoting continual innovation; and, making sure decision-makers have the best information possible.
In a blog post about leaving the federal CISO position, Touhill restated the importance of those ideas and said the government doesn't "need more policies, we need to execute the ones we have and eliminate the ones that no longer are aligned with contemporary best practices."
"There remains much to do to improve our cybersecurity risk management posture," Touhill wrote. "We need a better architecture focused on shared services capabilities rather than one built on organization charts. We need accountability and ownership built into our culture. We need to intelligently leverage cloud computing and mobility solutions that produce effective, efficient, and secure results. We need to do regular risk assessments across each department and agency. We need to better train and regularly exercise our personnel."
Touhill noted that he "left in place a solid flight plan and a great team of innovative professionals in the CISO Council" but appeared skeptical of the future of that team and his plan. Touhill admitted he "offered to remain in place to provide continuity and maintain the momentum we've achieved," but apparently he was not welcomed by the incoming administration. President Trump has not explicitly stated much regarding federal cybersecurity policy, but he has appointed former New York City mayor Rudy Giuliani to be an advisor on cybersecurity problems in the private sector.
Steven Chabinsky, law partner at White & Case and chair of the firm's global data, privacy and cybersecurity practice, said "regardless of whether the federal CISO position survives, the cybersecurity priorities for federal agencies that Gen. Touhill announced last November likely will remain the same."
"After all, it's hard to argue against the need to treat cybersecurity as a risk management issue, to make sure agencies prioritize what's most important to protect, to have the government invest in products with better security, to ensure federal employees are better trained to protect sensitive information, and to overlay everything with metrics so we have hard data on what actually works," Chabinsky told SearchSecurity. "I think it's important for the new administration to challenge the way things have been done. Still, it's equally important at least to consider the advice from those who have spent time on the frontlines."
Learn more about why a federal CISO is necessary for the U.S. government.
Find out more about the job description of a CISO.