Gajus - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Future of the federal CISO position in question as Touhill steps down

Retired Brig. Gen. Gregory Touhill stepped down as the federal CISO, leaving questions surrounding the future of the position and the work he has done.

It took seven months to find a suitable candidate to fill the federal CISO position, but after little more than four months on the job, retired Brig. Gen. Gregory Touhill has stepped down.

Touhill was appointed as the first federal CISO in September 2016, after the position was created in President Obama's Cybersecurity National Action Plan in February. Although he understood his position was not guaranteed past the term of President Obama, Touhill had said he planned to remain through the presidential transition and that he expected "a full tour of duty."

In his short time, Touhill laid out a plan with five main focuses to improve the cybersecurity posture of the government, including hardening the federal workforce to be more risk aware and better understand responsibilities; treating information as an asset and proportionally protecting high value data; implementing best practices and proper cyber hygiene; promoting continual innovation; and, making sure decision-makers have the best information possible.

In a blog post about leaving the federal CISO position, Touhill restated the importance of those ideas and said the government doesn't "need more policies, we need to execute the ones we have and eliminate the ones that no longer are aligned with contemporary best practices."

"There remains much to do to improve our cybersecurity risk management posture," Touhill wrote. "We need a better architecture focused on shared services capabilities rather than one built on organization charts. We need accountability and ownership built into our culture. We need to intelligently leverage cloud computing and mobility solutions that produce effective, efficient, and secure results. We need to do regular risk assessments across each department and agency. We need to better train and regularly exercise our personnel."

Touhill noted that he "left in place a solid flight plan and a great team of innovative professionals in the CISO Council" but appeared skeptical of the future of that team and his plan. Touhill admitted he "offered to remain in place to provide continuity and maintain the momentum we've achieved," but apparently he was not welcomed by the incoming administration. President Trump has not explicitly stated much regarding federal cybersecurity policy, but he has appointed former New York City mayor Rudy Giuliani to be an advisor on cybersecurity problems in the private sector.       

Steven Chabinsky, law partner at White & Case and chair of the firm's global data, privacy and cybersecurity practice, said "regardless of whether the federal CISO position survives, the cybersecurity priorities for federal agencies that Gen. Touhill announced last November likely will remain the same."

"After all, it's hard to argue against the need to treat cybersecurity as a risk management issue, to make sure agencies prioritize what's most important to protect, to have the government invest in products with better security, to ensure federal employees are better trained to protect sensitive information, and to overlay everything with metrics so we have hard data on what actually works," Chabinsky told SearchSecurity. "I think it's important for the new administration to challenge the way things have been done. Still, it's equally important at least to consider the advice from those who have spent time on the frontlines."

Next Steps

Learn more about why a federal CISO is necessary for the U.S. government.

Find out more about the job description of a CISO.

Get info on what CIOs should watch for in President Trump's tech policy.

Dig Deeper on Government information security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think the role of the federal CISO should be?

Appoint and guide a Team of IT security experts
-Create a Strategic Plan for the Deployment of Information & Communication Security Technologies and Program Enhancements
-Supervise Development of (and ensure compliance with) Co Security Policies, Standards and Procedures
-Integrate IT systems Development With Security Policies and Information Protection Strategies
-Collaborate with key Stakeholders to Establish an IT Security Risk Management Program
-Audit Existing Systems and Provide Comprehensive Risk assessments
-Anticipate New Security Threats and Stay up to date With Evolving Infrastructures
-Monitor Security Vulnerabilities, Threats and Events in Network and Host Systems
-Develop Strategies to Handle Security Incidents and Coordinate Investigative Activities
Act as a Focal Point For IT Security Investigations and Direct a full Investigation With Recommended Courses of Action
-Prioritize and allocate Security Resources Correctly and Efficiently
-Prepare Financial Forecasts 4 Security Operations and Proper Maintenance Cover For Security Assets
-Provide Leadership, Training Opportunities and Guidance to Personnel
-Work with Senior Management to Ensure IT Security Protection Policies are being Implemented, Reviewed, Maintained and Governed Effectively
-Spearhead education programs focused on user awareness and security compliance
+In addition to These Efforts, i may be Involved in a large Variety of Non.Technical Managerial Tasks, At the end of the day, i as Chief Information Security Officer Reports on Security to the Chief Executive Office (CEO) comment