by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2016
The selection of retired Brig. Gen. Gregory Touhill as the first U.S. chief information security officer is a key part of President Barack Obama’s Cybersecurity National Action Plan. Given the transition to a new administration, it’s not clear how long Touhill will hold the post. Regardless of who occupies the hot seat, however, the critical question is whether the U.S. CISO will have at his or her disposal the tools and authorities necessary to get the job done. Without them, the country will end up with a CISO in name only. The CISO is charged with pro- tecting government networks and critical infrastructure at a time when cyberthreats continue to change rapidly in terms of sophisti- cation, breadth and speed. Concur- rently, enterprise information sys- tems and services are increasing in size, distribution, functionality and value — thereby increasing the potential surface for attack. Given the position’s wide- ranging mandate, the CISO must have the ability to do more than simply conduct policy oversight; he or she must also possess the ability to enforce federal policy. That requires a cyber defense that is as tightly integrated as possible across the full span of the federal enterprise. The current operational tempo reinforces the challenge, with tech- nically advanced and determined state and non-state actors making headlines for their targeting of U.S. systems and assets in the public and private sectors. The extent of those intrusions has been startling, and neither agencies, such as the Office of Personnel Management, nor cornerstones of the coun- try’s business community, such as the nation’s biggest banks, are immune. The U.S. CISO will have to reach out widely to elicit and share information, explore best practices for cybersecurity and ensure their adoption government- wide. In doing so, Touhill and his successors would do well to look to industry, where the role of the CISO has had greater opportunity to evolve and where associated best practices have reached a cer- tain level of maturity. As envisioned, the U.S. CISO will serve as a focal point for gover- nance, from policy and planning through compliance. Placing that mission outside the purview of the CISO or granting compliance exemptions would undermine the overarching goal of shoring up the country’s cyber defenses. The point is reinforced by experi- ence in the private sector, where security and a host of related func- tions have been concentrated in the CISO position to integrate work in a wide range of areas, including regulations and standards, technol- ogy evaluation and integration, and incident response planning and communications strategy. As new technologies are added to the cyber defense arsenal, it is important to incorporate those instruments in a cohesive way that continually appreciates not only enterprisewide security but also organizational architecture, culture and processes. If policies are man- dated but not enforced, additional costs will be realized downstream because remedying after the fact is almost always more expensive. In a poll of experts conducted in March, just weeks after the creation of the U.S. CISO post, a strong majority of respondents were “cautiously optimistic about the new CISO’s ability to drive change across the government” (full disclosure: we participated in that survey). The U.S. CISO is charged with ensuring that all con- stituent parts — from federal agen- cies to their state and local coun- terparts to contractors and beyond — work together, and striving to do so is surely in the nation’s best interests given the consequences of failure. Clearly, the U.S. CISO has his work cut out for him. Let’s hope he succeeds. n What the U.S. CISO needs to get the job done New CISO Gregory Touhill must be given the right tools and enforcement authorities to secure and defend government networks The U.S. CISO would do well to look to industry, where the role has had greater opportunity to evolve. Commentary | FRANK J. CILLUFFO AND SHARON L. CARDASH FRANK J. CILLUFFO is director and SHARON L. CARDASH is associate director of the George Washington University Center for Cyber and Homeland Security. 12 November/December 2016 FCW.COM 1216fcw_012.indd 12 11/8/16 1:45 PM
January and February 2017