America Gets Our First CISO
Last week the White House announced the appointment of Gregory Touhill as the nation’s first Federal Chief Information Security Officer (CISO). Touhill is a retired Air Force general currently serving as acting director of the National Cyber and Communications Integration Center (NCCIC).
When I toured the NCCIC operations floor, I wasn’t impressed by the walls of monitors or flashing red lights. What impressed me was the people. They seemed to work as a real team in an interdisciplinary, interagency, cross-sector fashion. That is pretty unusual in Washington. Some of the credit has to go to Touhill, who joined the department six months before my 2014 visit. If he can foster that culture again at a federal level then he’s probably a good choice for America’s first CISO.
What qualities make a good CISO? I’ve worked with quite a few. Some have technical backgrounds and pride themselves on knowing packets and ports. Some have operations backgrounds and love fighting bad guys in the trenches. Some have management backgrounds and know how to run a large organization, get budget, and talk to boardroom executives.
The ideal CISO would be comfortable wearing all three hats – techie, warrior, manager. Remember the 2006 film Firewall? Harrison Ford plays the perfect CISO. He runs down to the bank’s SOC during a cyber-attack and furiously types snort commands into a terminal. (“Let's try a rule change on him, see what he does. Put in an IPS signature that black-holes the pattern.”) Then he dashes up to the penthouse boardroom to argue passionately with company execs about fraud losses he foresees during a pending bank merger.
Most real life CISOs don’t match Harrison Ford’s heroics, although some come close. For nearly all of them, it can be a thankless job. In the absence of a specific imminent threat, the CISO can be seen as Chicken Little and an obstacle to profits. And then when a breach does inevitably occur, the CISO is often made the scapegoat. A thick skin is mandatory.
Like Greg Touhill, many CISOs nowadays have military backgrounds. The trend toward militarization of police departments has been much debated recently, but a similar trend is playing out in corporate information security departments. In policing we’ve seen how this can be problematic if a warrior culture displaces the community service mindset. In IT security this is less of an issue, so long as the ex-military folks play well with their less disciplined civilian teammates (and vice-versa) with mutual respect and trust.
So what’s the recipe for a successful CISO? The main ingredients are perseverance and pugnacity. Leadership and communication are essential. Add military or tech experience for flavor as desired. Bake at 10,000 degrees under high pressure till hard and crusty. Allow to cool before serving. When the next breach occurs, it’s time to bake a fresh batch.
Greg Touhill seems to have the key ingredients. But his success as America’s first Federal CISO will depend as much on how the role is defined as on his ability. The White House already has a Cybersecurity Coordinator, Michael Daniels. So I expect Touhill will focus on operational aspects of IT security while Daniels continues to focus on policy. I had the privilege of working with Daniel’s predecessor, Howard Schmidt, and saw how challenging yet rewarding it was for him to blaze a trail as President Obama’s first cybersecurity czar. Touhill has a similar opportunity now to define what it means to be a national CISO.
A recent DarkMatter survey found nearly half of companies don’t even have a CISO (or equivalent). So be thankful if your company has one, and cut him or her a little slack. It’s a tough job and they can’t all be Harrison Ford. America has a CISO now and that’s good news.
UPDATE 2/16/2017: Greg Touhill lost his position as US CISO when Donald Trump became president. It's not clear yet if a replacement will be named. In a recent video interview, Touhill urged the Trump administration not to scrap his hard work or start over from scratch.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.