Commentary|FRANK J. CILLUFFO AND SHARON L. CARDASH
FRANK J. CILLUFFO is director and SHARON L. CARDASH is associate director of the George Washington University Center for Cyber and Homeland Security.
What the U.S. CISO needs to get the job done
New CISO Gregory Touhill must be given the right tools and enforcement authorities to secure and defend government networks
The selection of retired Brig. Gen. Gregory Touhill as the first U.S. chief information security officer
is a key part of President Barack Obama’s Cybersecurity National Action Plan. Given the transition
to a new administration, it’s not clear how long Touhill will hold the post. Regardless of who occupies the hot seat, however, the critical question is whether the U.S. CISO will have at his or her disposal the tools and authorities necessary to get the job done. Without them, the country will end up with a CISO in name only.
The CISO is charged with pro- tecting government networks and critical infrastructure at a time when cyberthreats continue to change rapidly in terms of sophisti- cation, breadth and speed. Concur- rently, enterprise information sys- tems and services are increasing
in size, distribution, functionality and value — thereby increasing the potential surface for attack.
Given the position’s wide- ranging mandate, the CISO must have the ability to do more than simply conduct policy oversight; he or she must also possess the ability to enforce federal policy. That requires a cyber defense that is as tightly integrated as possible across the full span of the federal enterprise.
The current operational tempo reinforces the challenge, with tech- nically advanced and determined state and non-state actors making headlines for their targeting of U.S.
systems and assets in the public and private sectors. The extent of those intrusions has been startling, and neither agencies, such as the Office of Personnel Management, nor cornerstones of the coun-
try’s business community, such
as the nation’s biggest banks, are immune.
The U.S. CISO will have to reach out widely to elicit and share information, explore best
The U.S. CISO would do well to look to industry, where the role has had greater opportunity to evolve.
practices for cybersecurity and ensure their adoption government- wide. In doing so, Touhill and his successors would do well to look to industry, where the role of the CISO has had greater opportunity to evolve and where associated best practices have reached a cer- tain level of maturity.
As envisioned, the U.S. CISO will serve as a focal point for gover- nance, from policy and planning through compliance. Placing that mission outside the purview of
the CISO or granting compliance exemptions would undermine the overarching goal of shoring up the country’s cyber defenses.
The point is reinforced by experi- ence in the private sector, where security and a host of related func- tions have been concentrated in
the CISO position to integrate work in a wide range of areas, including regulations and standards, technol- ogy evaluation and integration, and incident response planning and communications strategy.
As new technologies are added to the cyber defense arsenal, it is important to incorporate those instruments in a cohesive way that continually appreciates not only enterprisewide security but also organizational architecture, culture and processes. If policies are man- dated but not enforced, additional costs will be realized downstream because remedying after the fact is almost always more expensive.
In a poll of experts conducted
in March, just weeks after the creation of the U.S. CISO post, a strong majority of respondents were “cautiously optimistic about the new CISO’s ability to drive change across the government” (full disclosure: we participated
in that survey). The U.S. CISO is charged with ensuring that all con- stituent parts — from federal agen- cies to their state and local coun- terparts to contractors and beyond — work together, and striving to do so is surely in the nation’s best interests given the consequences of failure.
Clearly, the U.S. CISO has his work cut out for him. Let’s hope he succeeds. n
12 November/December 2016 FCW.COM