What effect does a federal CISO have on government cybersecurity?

The Office of Personnel Management hired its first CISO in June 2016. This followed the announcement that a federal CISO was hired in September 2016. However, the federal CISO resigned after only four months on the job. What affect does this have on the U.S. cybersecurity posture? What role will the federal CISO, if replaced, play considering the tough situation the OPM and other agencies are in after recent massive data breaches?

On September 8, 2016, retired Brigadier General Gregory J. Touhill was named as the first Federal Chief Information Security Office (CISO) for the entire U.S. federal government. Grant Schneider was also named as Acting Deputy CISO in the same announcement. Then on January 29, 2017, following the inauguration of President Donald Trump, Greg Touhill resigned after four months of service.

The federal CISO's main function is to manage all other government agency CISOs and security programs. There have also been CISO positions assigned at other U.S. agencies, but are so many CISO positions necessary?

In October 2016, the Bureau of Labor Statistics reported that the federal government had 22.235 million employees. The U.S. government is very different from the private industry. The bureaucracy is a pedantic nightmare, but much like the Department of Homeland Security was established to oversee several existing agencies -- such as the Transportation Security Administration, Secret Service, Federal Emergency Management Agency, U.S. Coast Guard and others -- having a federal CISO makes sense.

To be effective, the federal CISO position needs to manage federal governance, cross-agency budgets, policies, protection programs and architectures. The reporting structure -- in order to maintain collaboration, cooperation and continuity -- should give all agency CISOs a solid line or, at a minimum, a dotted line relationship to the federal CISO. This will ensure essential independence of any influence from IT or agency heads and legal authority to take punitive actions for policies, procedures and protections measures if not deployed or adhered to.

In his farewell blog, Touhill stated that the U.S. cybersecurity posture did not need more policies but needed to execute current polices and possibly eliminate ones no longer effective or out of date. During his short tenure as federal CISO, Touhill implemented multifactor authentication on nearly 99% of privileged user accounts by the end of 2016. He also stated that the U.S. needs to improve its cybersecurity risk management posture, and better its architecture so it's focused on shared services capabilities rather than on how it is organized. It also needs better leverage on cloud computing, and periodic risk assessments across each department and agency.

Weeks before Touhill stepped down as the federal CISO, then President-Elect Trump, assigned Rudy Giuliani, former New York City mayor, as Cyber Security Advisor on January 11, 2017. On February 2, 2017, President Trump also removed Cory Louie as White House CISO. Having a non-cybersecurity professional now in charge of the U.S. cybersecurity posture appears injudicious to many cybersecurity experts -- especially since there appears to be no plans to replace Touhill or Louie.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)