A conversation with Greg Touhill, former federal CISO

In any organization, people tend to get fixated on the policy. Same goes for cybersecurity policies. But often while the policy is sound, the issues lie within the execution.

Retired Brigadier General and former federal Chief Information Security Officer Greg Touhill joined Sean Kelley, host of CyberChat, to discuss the future of cybersecurity.

Touhill said there are three major hurdles facing today’s organizations:

  • A lack of authority on the part of the CIO
  • A lack of unity of effort
  • Inefficient and ineffective architecture

While cybersecurity policies could be ultra-secure, Touhill said the organizations and entities your agency or company deals with don’t always have the same cybersecurity posture and capacities.

‘’Moving to the cloud is the right thing to do, but it needs to be done in the right way. The appeal of the overhead reduction is compelling, organizations can be more agile, and both lower OpEx [operating expenditure] and CapEx [capital expenditure] results are both incredibly attractive. As I learned in the Air Force, you never fly into a cloud without knowing what’s on the inside or on the other side,” Touhill said.

Another consideration, Touhill said, is how to implement or sustain independent third-party auditing, a “must-have” tool. Organizations should also retain the ability to pen test and audit.

Touhill said organizations need better execution of existing policies, to retire older technology, update cybersecurity strategy to a more modern zero trust strategy and to leverage public sector best-practices.

He went on to say public and private sectors have at times been resistant to pooling resources — bulk buys and leveraging their buying power — due to fear of losing control of their decision making authority.

Touhill said in order to get to a common architecture, there needs to be a legislative approach and a push that needs to drive changes to happen. “We should be all about protecting the people’s information.”

There are initiatives and education programs for future cybersecurity professionals, but Touhill said the pipeline is not being filled quickly enough to meet with the present-day demand.

‘’The Air Force is a great example of a government organization that is getting it right. With many jobs being replaced or being made redundant because of various technologies, affected individuals are being retrained into the world of cybersecurity,’’ Touhill said.