Retired Big. Gen. Gregory Touhill announced his resignation as U.S. Chief Information Security Officer (CISO) in a Jan. 19 post on social media site LinkedIn, following a four month tenure.
Touhill was brought on in Sept. 2016 as the first Federal CISO as part of the Obama Administration’s 2016 Cybersecurity National Action Pan (CNAP) (Defense Daily, Sept. 9, 2016). He previously served at the Department of Homeland Security (DHS) as the Deputy Assistant Secretary for Cybersecurity and Communications in the Office of Cybersecurity and Communications.
He said he offered to remain in the role to the Trump team to provide continuity and “maintain the momentum we’ve achieved,” but the offer was apparently rebuffed.
“During my service as the US Chief Information Security Officer, I have focused on execution of best practices to better manage our cyber risk posture. Frankly, we don’t need more policies, we need to execute the ones we have and eliminate the ones that no longer are aligned with contemporary best practices,” he said in his farewell statement.
Touhill highlighted that he believes best practices brings compliance but that focusing only on compliance does not always deliver best practices or results.
“Having formed the federal CISO Council across all departments and agencies, we’ve launched a solid risk management construct that is already yielding results. For example, we bought down our collective risk by raising implementation of multi-factor authentication on privileged user accounts from just over 30% to nearly 99% percent by the end of 2016,” he added.
Touhill also recommended what still needs to be improved in the government’s cybersecurity risk management posture. This includes a better architecture focused on shared services capabilities rather than built on organizational charts; accountability and ownership built into the culture; leveraging cloud computing and mobility solutions that produce effective, efficient, and secure results; regular risk assessments across every department and agency; and better training and regular exercises for personnel.
He noted his confidence in the remaining team and left in place “a solid flight plan and a great team of innovative professionals in the CISO Council and OMB who will follow through and execute what it takes to better manage our cyber risk.”
Touhill specifically thanked CIO Tony Scott, Special Assistant to President Obama and Cybersecurity Coordinator Michael Daniel, and Dr. Phyllis Schneck and Dr. Andy Ozment with their DHS cyber teams.
He said his next steps involve a short vacation, periodic teaching at Carnegie-Mellon University in Pittsburgh, Pa., and to “look for the next great adventure.”