Think like a hacker, says former CISO
Greg Touhill contends that clarity, hacker brains and services consolidation are keys to more secure federal networks and data.
Gregory Touhill served as the first governmentwide chief information security officer at the tail end of the Obama administration.
Shared services, new hacker-like thinking and a clear and concise security strategy are some of the keys to protecting the .gov environment, said the former first governmentwide chief information security officer.
"We need to think like a hacker" to protect federal networks, Greg Touhill said at a March 30 cybersecurity conference in Washington. "We haven't even been thinking like an accountant" when it comes to federal IT, he said. "We need to do a bit of both" to maximize security and efficiency for the federal networking dollars.
Touhill, who was appointed to the new CISO position by President Barack Obama in September, stepped down on Jan. 17. In his remarks at the Billington Cybersecurity Summit on March 30, Touhill said he plans to begin a job search in April.
A retired Air Force brigadier general, Touhill has a long history in federal government, as a deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security before he got the call for the CISO job.
Now a month out of government, Touhill said the next person to hold the job has to offer up clear concise strategy to protect federal IT, as well as be able to articulate risk to senior-level agency managers and foster more consolidation among agency IT capabilities.
"As federal CISO, rather than come out with the big lengthy strategy document that no one will read, I focused defining the mission," he said. "What is the cybersecurity mission of the federal government?"
"We'll see when the executive order comes out," Touhill continued, "but when I was in the job I said here's the mission statement support an open and transparent govern that protects the people's information while protecting civil rights and civil liberties. Do you think the troops in the field and the folks in the server rooms and employees can get that? I think they can."
Touhill also said the government needs to stop its profligate spending ways with IT.
"'Be calm and buy everything' seems to be [the practice] when it comes to IT and cybersecurity in the federal government," he said. "We go out and we buy every damn tool that's out there. But we don't read the instruction books and we don't necessarily take the training…We don't use the tools that we buy very well."
Shared services, he said, can trim that spending, as well as boost data security. "I'm a big proponent of consolidation of IT services through .gov. It's silly that every single department and agency is doing their own thing."
Using shared services for more applications, Touhill said, would not only place data into a more uniformly secured, central environment, it would also free up federal CIOs to manage and prioritize their data more effectively. Mismanaged data in the wrong places is an issue currently, he said.
Additionally, Touhill said funding for "active hunt teams" that can track down and interdict attackers is needed. Cyber response teams are good, but they're "cleaning up on aisle six" while other threats could be roaming through the .gov environment. "We need to do a better job" hunting down those threats, he said.