16 November 2016
My Priorities as the First U.S. Chief Information Security Officer
By: Gen. Greg Touhill
As the first U.S. Chief Information Security Officer (CISO), I am honored to be a part of a dynamic community across government working to improve our country’s cybersecurity posture.
Throughout my career in military and federal service, and a few stints in the private industry, one of the most important lessons I have learned is cybersecurity is much more than just a technology fix—rather it is a risk management issue. When we focus exclusively on the technology we sometimes miss the real goal, which is managing the risk to the confidentiality, integrity and availability of the information the technology supports. In my new role, I hope to continue shaping the cybersecurity conversation from a technology-focus to one that focuses and aligns to risk management best practices.
Another important lesson I learned is that it is critically important to have a well-defined and easy-to-understand goal. Our cybersecurity goal is simple: “To support an Open and Transparent Government where the People’s Information is protected and Privacy, Civil Rights, and Civil Liberties are preserved.” The American people trust us to be the guardians and custodians of their information. We owe it to our fellow citizens to do our very best to achieve this goal, every day.
Our strategic approach to achieving our goal is focused on five lines of effort that capitalize on the significant progress this Administration has already undertaken to better manage cyber risk. Building on great initiatives, including the Cybersecurity National Action Plan (CNAP), our strategic approach focuses on five lines of effort:
1.Harden the Workforce: All of us stand at what I call, “the cyber front lines.” Whether it is in the home, on-the-go or in the office, we all face a wide range of cyber risk factors. Through our Cybersecurity Workforce Strategy we are leveraging targeted education, training and exercises; improved recruiting and hiring practices; retention and development of highly skilled talent; and innovative best practices to heighten cyber risk awareness, that will help our workforce become “hard targets” that understand their roles and responsibilities and techniques that properly employ best practices to better protect the People’s information. We will continue these great initiatives and, through such efforts as the National Initiative for Cybersecurity Education, we will look for opportunities to help educate every American to be “cyber risk aware” and “hardened” against cyber threats while helping shape the workforce of tomorrow by better identifying cybersecurity workforce needs.
2.Treat Information as an Asset: Information is an asset that has value. It costs you resources to create it, to store it, to transmit it, to secure it, to replace it, and to manage it. The best practice of treating information as an asset is something we in the Federal Government recognize and are incorporating into our risk-based approach to cybersecurity. For example, as part of the CNAP, agencies are taking action to identify their high-value information assets and better align protective measures to manage risk while delivering results that are effective, efficient, and secure. By treating information as an asset, we get a better understanding of the value of our information and adjusting our defenses so that we proportionally protect our high value assets. We need to treat information as an asset, perform asset valuations, and align our defense appropriate to the risk.
3.Do the Right Things the Right Way: Many cyber incidents and data breaches could be prevented if we all implemented best practices and practiced proper cyber hygiene. In the Federal Government, we are focusing attention on “buying down our cyber risk” by implementing best practices that do the right things the right way at the right time. For example, to better manage our networks, we are implementing the Continuous Diagnostics and Mitigation program. When fully implemented, this capability will give us positive control of our networks and give us real-time visibility into what’s on our network, who’s on our network, and what’s going on in our networks. We intend to expand our use of exercises and drills across organizations to hone our skills and meet performance objectives. The Hall of Fame football coach Vince Lombardi said, “Perfect Practice Makes Perfect.” The American people expect us to deliver excellence every day. We can only get there if we do the right things the right way and practice, practice, practice.
4.Continuously Innovate and Invest Wisely: In both the public and private sectors, many incidents or breaches have been caused or made worse by outdated equipment and software, legacy processes that are ineffective and inefficient, or poor requirements that get translated into the unwise acquisition of goods and services. The Government can and will do better. Doing better starts with planning for the future and the proper recapitalization of assets. Under US CIO Tony Scott’s leadership, the Administration has proposed the creation of an Information Technology Modernization Fund to kickstart efforts to recapitalize our antiquated systems and reduce our vulnerabilities. Looking to the future, we need to build a modern enterprise architecture that enables us to securely and affordably deliver a more open and transparent government. We need to deliver cloud and mobility solutions that enhance productivity yet have security “baked in,” not bolted on as an afterthought. Across all departments and agencies, we need to give our senior leaders the actionable business case information they need to plan, program and budget so that we can rapidly deliver innovative solutions that are effective, efficient, and secure.
5.Make Informed Cyber Risk Decisions at the Right Level: Since the beginning, the Administration has put cybersecurity on top of the agenda across the Federal Government. Decision makers need the facts so they can make the best decisions possible to manage cyber risk. I have found that what gets measured gets managed. We have to leverage metrics that drive decisions and get them in front of the right decision makers as we work together to better manage our cyber risk. A risk that can’t be articulated and measured won’t get addressed properly.
Cybersecurity is a team effort. If we are going to achieve our goal and follow our strategic game plan, we have to work together across the Federal Government in concert with our various partners and stakeholders. To help foster teamwork and collaboration, we’ve launched the Chief Information Security Officer (CISO) Council to help chart the course to turn the strategic vision into an executable plan of action that will lead us to achieving our goal. Along the way, the CISO Council will also serve as a clearinghouse of the identification, shaping, and sharing of best practices as well as a professional development forum for our Federal CISOs.
Cybersecurity is a risk management issue. I look forward to partnering with you and my other colleagues across the public and private sectors as we work together to support our open and transparent government while better managing our cyber risk.
BACK TO BLOG ❯