Meet the New Boss: The United States’ First Federal Chief Information Security Officer

Meet the New Boss: The United States’ First Federal Chief Information Security Officer

Are we doing government work here or what?

Maybe you’ve been asked this question before. It’s a rhetorically sarcastic put-down, the implication being that you’ve put in minimal effort and slowly satisfied a task’s requirements. If you’re a Chief Information Security Officer (CISO) in the private sector, it probably means a security breach happened on your watch.  As of September 12, though, your superiors are going to need to find a new way to insult you. That’s because the United States just hired its first ever Federal CISO, according to a White House press release.

As if to underscore the need for the role, Republican congressman Michael McCaul said in an interview two days later that the Republican National Committee’s data had been breached. This comes on the heels of the hacking of the Democratic National Committee’s servers and security breaches with Illinois and Arizona’s voter databases.

With little fanfare, and a big job ahead of him, Brigadier General (retired) Gregory J. Touhill took on the role created by President Obama’s Cybersecurity National Action Plan (CNAP) earlier this year.  Touhill seems to have a long slog ahead of him to batten down the nation’s poorly protected digital hatches, but his experience speaks volumes of his preparedness for the job. He clearly has a sense of duty to the country, as well; his LinkedIn profile tells the story of a guy who could be making much more money in the private sector.

Touhill’s new gig appears to be blurring the lines between “government work” and the private sector. He’ll be reporting to Federal Chief Information Officer Tony Scott, formerly the CIO of companies like Vmware, Microsoft, and the Walt Disney Company. Touhill will also be working with the Commission on Enhancing National Cybersecurity (CENC), which is made up of business and technical “thinkers” from outside the government, and exists to make recommendations for the latest technology and strategies to fortify the nation’s servers and networks in and out of government.

So, Why Does This Federal Chief Information Security Officer Decision Matter to You?

We’ve seen this before, how government policy and legislation bleeds into the private sector. In 2002—with the country in shock over the high-profile frauds committed by Enron, Worldcom, and Tyco—the U.S. congress passed the Sarbanes-Oxley Act (aka SOX) into law increasing the oversight and accountability for publicly traded companies. The law drove innovation in the tech world so that these companies could maintain SOX compliance.

Archiving software suites like Enterprise Vault became a necessity for any company that was required to maintain compliance. With mandatory archiving of all emails and files came the need for more efficient storage solutions to house all that data. Costly technologies like Storage Area Networks (SAN) and Network Attached Storage (NAS) required large pools of expensive and hard drives to keep up with the data demand, while software-based compression and deduplication tools are becoming more robust to stretch out hardware purchases. SOX ended up being a huge economic stimulus, catalyzing new hardware and software investments, which were previously unnecessary.

All of which brings us back to Touhill and the $19 billion he and his team will have at their disposal to get government systems up to speed. And that’s just the cybersecurity budget for Fiscal Year 2017. There’s also another $3.1 billion proposed for the Information Technology Modernization Fund, which aims to retire and replace the legacy systems littering the federal IT landscape.

It’s not hard to imagine that the next decade will be a lucrative one for the entire hardware and software supply chain, from hardware and software vendors to middle-man distributors to Value Added resellers. With Touhill and the CENC think-tank brainstorming on not just what is possible today, but also what should be practicable in the future, it’s very likely that they’ll have a huge impact on the IT security space in the near and distant future.

Remember, too, that part of Touhill’s responsibility extends outside the reaches of government. It’s not just privately owned government contractors—who will be required to comply with federal IT policy—that are going to be affected. Online security for all Americans is another priority of CNAP. It’s not unthinkable that Touhill’s work will lead to legislation requiring more out of the nation’s banks and payment processors.

Touhill and his team will also be working with the National Cybersecurity Alliance, along with tech giants Google, Facebook, and Microsoft, to arm citizens with the knowledge and tools to keep their own online accounts more secure. They’ll be focused on rethinking standard security procedures—like passwords and Social Security numbers—with a focus on multi-factor authentication and biometrics in order to better lockdown citizens’ personal data.

So, are we doing government work here or what? If you’re an IT security professional, you’d better hope so. Contact SentinelOne today to learn more.