The White House on Thursday named Brig. Gen. (Ret.) Gregory Touhill as the Federal government’s first chief information security officer, bringing to a close an executive search that has gone on for more than seven months.
Touhill, who retired from the Air Force in 2013, served most recently as the deputy assistant Secretary of Homeland Security for Cybersecurity and Communications.
“In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies,” said U.S. Chief Information Officer Tony Scott in a statement posted on the White House website. “Greg will lead a strong team within OMB who have been at the forefront of driving policy and implementation of leading cyber practices across Federal agencies, and is the team that conducts periodic cyberstat reviews with Federal agencies to insure that implementation plans are effective and achieve the desired outcomes.”
Scott also announced the appointment of Grant Schneider, the director for Cybersecurity Policy at the National Security Council, as the acting deputy CISO.
“In creating the CISO role, and looking at successful organizational models across government, it became apparent that having a career role partnered with a senior official is not only the norm but also provides needed continuity over time,” Scott said.
Touhill enters the job less than four months before the Obama administration leaves office and a new administration is likely to shuffle most of the top national security leadership posts.
Touhill recently participated in a panel discussion moderated by MeriTalk during the Symantec Government Symposium, where he was outspoken about the need to improve communications between agency cybersecurity personnel and operations managers.
“We talk in parables,” Touhill said. “We’re also trying to be the Maginot Line, and we’re focused on compliance, compliance, compliance.”
Another major issue that Touhill said must be addressed is the prevalence of shadow IT—systems and devices deployed without the knowledge or approval of agency CIOs or security officials—throughout the Federal government. But just as problematic is the large number of old systems that have simply been abandoned from a maintenance and upgrade perspective, leaving them vulnerable to widespread security threats.
“There’s a lot of orphan IT out there that CIOs don’t even know about,” Touhill said.