Despite the short amount of time guaranteed to him as the Federal Chief Information Security Officer (CISO), retired Brig. Gen. Gregory Touhill is optimistic about his ability to remain in his position through the presidential transition and has many plans that he hopes to carry through that transition.
“I expect to be here through the transition,” Touhill said. “I raised my hand, and I expect a full tour of duty.”
Touhill was appointed to the Federal CISO position in September, and is guaranteed the position only until the end of this administration, what he calls his “Cinderella clock.” Even so, he is making plans for improvements he wants to make after the presidential transition, such as implementing cyber training and exercises for newly appointed senior leadership.
“I want to have a cyber desktop exercise,” Touhill said, explaining that if senior leaders can spend even an hour understanding what to do in the event of a cyberattack, it can improve overall agency capability.
Touhill also outlined five lines of effort through which he plans to improve Federal cybersecurity: strengthening the workforce, treating information as an asset, doing the right things the right way, continuing innovation, and making informed cyber risk decisions.
“Frankly, the entire workforce is now what I consider part of the cyber front lines,” Touhill said. He plans to create continual training and evaluation programs as well as increase participation in testing and exercises. As part of this effort, Touhill wants to put together a Federal CISO council, much like the current Federal CIO council. And he wants agencies to get involved in creating their own cyber training programs.
“Through the CISO council, we’ll put out a core curriculum, but then we’ll release that and have a competition to see who can come up with the most entertaining, educational, informative video, and we’ll put it on YouTube as the winner,” said Touhill. “Why not have competition to have the best cybersecurity video out there based on the curriculum that the CISO council put together.”
The focus on using competition and broad involvement to create better cybersecurity plans and education also extends to Touhill’s plan to educate the next generation of cyber experts.
“Most of those folks that are going to be in our cyber workforce pretty darn soon are still in elementary school,” Touhill joked, explaining that education has so many mascots, such as Smokey the Bear, to teach kids about keeping the world safe, that there should also be a mascot for cyber. “Maybe we need to have a competition amongst the school kids in America to tell us about Byte the cyber mascot.”
As part of Touhill’s plans as CISO, he and his CISO council will create a cybersecurity website, called cyber.gov, that will act as a wide-reaching resource for cybersecurity information and best practices.
“What we’re looking at doing is having a one-stop repository for folks that are looking at best practices, for collaboration and the like. And we’re working across our staff right now and setting up some basic guidance on the website,” Touhill said. “We’re going to be partnered across such organizations as NIST, DHS, and others so that we have an easy, one-stop shop for cyber information.”
Though some of Touhill’s plans will take him beyond his guaranteed tenure as Federal CISO, Touhill explained that it is important to have something to work toward.
“Like I learned in the military, it is important to have a goal,” Touhill explained of his plan. “Our goal is simple: Our goal is to support an open and transparent government where the people’s information is protected and privacy, civil rights, and civil liberties are preserved.”