New CISO faces tough sprint

Greg Touhill, the first governmentwide CISO, will have a long task list and a short window of time as the Obama administration enters its last four months.

Gregory Touhill
 

Newly appointed U.S. CISO Greg Touhill

The federal government's new chief information security officer has a long to-do list and a short time to get things done.

Retired Air Force Brig. Gen. Greg Touhill will transition from his current position as deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security and join U.S. CIO Tony Scott's team at the Office of Management and Budget later this month as the first governmentwide CISO.

The job is a political appointment, which means the length of his tenure is in question as the presidential election looms.

"I'm sure there are things he can accomplish in the job," said Paul Brubaker, chairman of the Alliance for Transportation Innovation and former deputy CIO at the Defense Department. He added that Touhill is "definitely the right guy for the job."

Perfect timing

"I know it sounds like bad timing, but I think it's actually perfect timing because Touhill can be a good person through the transition to make sure we don't take our eyes off the ball," said Theresa Payton, president and CEO of Fortalice Solutions and a former White House CIO.

She said Touhill is known as a pragmatic, experienced leader.

"He was an active participant of the federal CIO Council so he knows the pains from the front lines from his federal colleagues in this space," said Ann Barron-DiCamillo, CTO at Strategic Cyber Ventures and a former colleague of Touhill's at DHS.

"Knowing Greg, I'm sure he'll have a few actionable initiatives he'll target that are doable" in the remaining days of the Obama administration, she said.

Others said Touhill was a solid leader at DHS and easy to work with.

"The reason that they brought him on at DHS was because he knew how to handle bureaucracy, having dealt with it in the military, and he knew how to run operations," said Ari Schwartz, managing director of cybersecurity services at Venable and former senior director for cybersecurity at the National Security Council.

Schwartz said DHS' response capabilities improved during Touhill's tenure. Schwartz also said that in the past there has been a lack of understanding between DHS and OMB, and Touhill's DHS knowledge and experience will be an asset in his new position.

Payton said Touhill should start with a 30-day sprint plan and a 60-day sprint plan and use the remaining time to create an 18-month roadmap that can lay groundwork for the next administration. He should also conduct a series of exercises to test federal agencies' incident response plans, which should include onsite expert coaching and mentoring.

"I would deploy a team of white hat hackers who would target our country's most precious digital assets...and come up with a remediation plan," she added.

Then she said there should be an awareness and education campaign with follow-up social engineering tests.

Blind spots

"One of the biggest challenges I see is the lack of visibility into the holistic operational environment," Brubaker said, "including critical interdependencies in other areas such as organizational impediments, skill sets and personnel deficiencies, [and] redundant or missing roles."

"It's those blind spots -- the unknown unknowns -- that bite you," he added.

Brubaker said Touhill is "walking into a role where he is going to struggle to objectively and clearly identify and mitigate vulnerabilities."

Although there are concerns about the fact that the next administration might not keep Touhill, Payton and others said the appointment of Grant Schneider as deputy CISO, a career position, will ensure that institutional knowledge built in the coming months will carry over from this administration.

One unanswered question is why it took so long to hire Touhill given that President Barack Obama announced the Cybersecurity National Action Plan back in February. Those who spoke to FCW said they believe it was due to federal bureaucracy and significant competition for the position.

"Our government was, in this case anyway, picking from among a list of extremely strong candidates," said Larry Clinton, president of the Internet Security Alliance. "As much as I have confidence in Touhill to do this job, I don't think this was an easy decision."

OMB did not respond to FCW's questions about Touhill's budget and budget authority and how existing OMB staff will be tasked under him.