At a House subcommittee meeting focused on the WannaCry threat and security needs, the first government chief information security officer pointed out the most obvious security need for the country: for President Trump to appoint a new federal CISO.
“I urge the Congress to continue its great efforts to strengthen our enterprise risk posture, and I urge you to authorize and empower the federal CISO — which is currently not authorized or specified,” Touhill implored the House Science, Space and Technology committee on Thursday.
Touhill, who currently serves as adjunct professor of cybersecurity and risk management at Carnegie Mellon University, was deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security, before Barack Obama called Touhill to the position in September.
Obama created the CISO position as a crucial component of the administration’s $19 billion Cybersecurity National Action Plan unveiled in February 2016. The role is designed to oversee the federal government’s cybersecurity policy and implementation.
Touhill left the position in February after the Trump transition. In an exit letter he cited: The government should concentrate less on new policy and more on improving organizational architecture and culture to support what exists.
Trump has left the position vacant, which is concerning given the increase in cyberthreats and cybercriminal sophistication not least of which because, without a federal CISO, there’s no one in the administration to determine best practices.
Touhill also called for a renaming of the NIST Cybersecurity framework to the National Cybersecurity Framework. While NIST did a great job in crowdsourcing to create the framework, it should reflect that it’s a national need.
Touhill said the Inspector General and auditing committees should assess the entire government IT systems and reinforce the need to conduct appropriate audits using the renamed NIST framework. Cybersecurity groups like NIST should be giving those auditing direction.
“Cybersecurity is a risk management issue, but many people mistakenly recognize it solely as a tech concern,” Touhill. “We need to harden the workforce, treat information as an asset and make risk management a priority.”