Think like a hacker, says former CISO
- By Mark Rockwell
- Mar 31, 2017
Gregory Touhill served as the first governmentwide chief information security officer at the tail end of the Obama administration.
Shared services, new hacker-like thinking and a clear and concise security strategy are some of the keys to protecting the .gov environment, said the former first governmentwide chief information security officer.
"We need to think like a hacker" to protect federal networks, Greg Touhill said at a March 30 cybersecurity conference in Washington. "We haven't even been thinking like an accountant" when it comes to federal IT, he said. "We need to do a bit of both" to maximize security and efficiency for the federal networking dollars.
Touhill, who was appointed to the new CISO position by President Barack Obama in September, stepped down on Jan. 17. In his remarks at the Billington Cybersecurity Summit on March 30, Touhill said he plans to begin a job search in April.
A retired Air Force brigadier general, Touhill has a long history in federal government, as a deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security before he got the call for the CISO job.
Now a month out of government, Touhill said the next person to hold the job has to offer up clear concise strategy to protect federal IT, as well as be able to articulate risk to senior-level agency managers and foster more consolidation among agency IT capabilities.
"As federal CISO, rather than come out with the big lengthy strategy document that no one will read, I focused defining the mission," he said. "What is the cybersecurity mission of the federal government?"
"We'll see when the executive order comes out," Touhill continued, "but when I was in the job I said here's the mission statement support an open and transparent govern that protects the people's information while protecting civil rights and civil liberties. Do you think the troops in the field and the folks in the server rooms and employees can get that? I think they can."
Touhill also said the government needs to stop its profligate spending ways with IT.
"'Be calm and buy everything' seems to be [the practice] when it comes to IT and cybersecurity in the federal government," he said. "We go out and we buy every damn tool that's out there. But we don't read the instruction books and we don't necessarily take the training…We don't use the tools that we buy very well."
Shared services, he said, can trim that spending, as well as boost data security. "I'm a big proponent of consolidation of IT services through .gov. It's silly that every single department and agency is doing their own thing."
Using shared services for more applications, Touhill said, would not only place data into a more uniformly secured, central environment, it would also free up federal CIOs to manage and prioritize their data more effectively. Mismanaged data in the wrong places is an issue currently, he said.
Additionally, Touhill said funding for "active hunt teams" that can track down and interdict attackers is needed. Cyber response teams are good, but they're "cleaning up on aisle six" while other threats could be roaming through the .gov environment. "We need to do a better job" hunting down those threats, he said.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.