Former Federal Chief Information Security Officer retired Brig. Gen. Gregory Touhill called on Congress to formally authorize the Federal CISO position, so that his successor has the full authority to address the cybersecurity needs of the nation.
“Within the Federal government, we still don’t have an authorization for a Federal chief information security officer in statute. My position was appointed as an administrative appointment,” Touhill said in a House Joint Subcommittee on Oversight and on Research and Technology hearing June 15. “I think we need to firm up and make sure that this position is an enduring position, but we also need to empower the position such that that the chief information security officer can in fact have the authorities to choreograph and direct activities that are necessary to better manage our risk.”
Join us at GovProtect on July 21 for a one-day, collaborative discussion on how agencies can gain actionable insight into the increasingly complex security risks facing a modern government. Click here to learn more.
Touhill was appointed to the newly created Federal CISO position in September 2016, and remained there for only four months, despite expressing that he would like to serve a “full tour of duty” regardless of who won the presidential election. To date, the Trump administration has yet to fill the position or that of the Federal CIO, to whom the CISO reports.
“I believe that this is a best practice to have a chief information security officer in different organizations,” said Touhill. “I think it is critically important as part of an enterprise risk management approach that you do in fact have someone who is focused on information security and the risk to the enterprise.”
Touhill also said that he would offer support for whoever took over the position.
“As far as the appointment goes, I look forward to seeing who the administration brings forward, and I will coach and serve as wingman for that person,” said Touhill.
Members of the committee were critical of the vacant leadership positions throughout Federal agencies.
“The Trump administration has been slow to fill newly vacant positions in nearly every government agency, and my concern is that these understaffed agencies are going to have significant difficulty meeting the dictates of the executive order,” said Rep. Don Beyer, D-Va. “Frankly, I’m also concerned that the proposed budget cuts in the original Trump-Mulvaney budget across all agencies will make the task a lot harder to strengthen security of Federal information systems.”
“I join Mr. Beyer in urging the administration to fill the many vacancies across the Federal government,” said Rep. Dan Lipinski, D-Ill.
Other witnesses, however, were concerned by the overall lack of qualified cybersecurity personnel in the Federal government, with Touhill adding that if he were given one extra dollar to spend on cybersecurity, he would spend it on people.
“The actual resources for cyber defense are scarce, and there simply is not presently an adequate level of highly skilled, highly experienced, and highly available operators in the cybersecurity field,” said Salim Neino, CEO of Kryptos Logic.
Touhill warned that recent cyberattacks like WannaCry were “softballs” and that “the next one may be a high and tight fastball coming in. We need to be ready.”