The White House Appoints the First Federal Chief Information Security Officer

Published: September 14, 2016

Critical Infrastructure ProtectionCybersecurityOMB

The White House has picked retired Brigadier General Gregory J. Touhill as the first Federal Chief Information Security Officer (CISO).

The appointment of a CISO has been anticipated since February when the president announces a new $19 billion Cybersecurity National Action Plan (CNAP) focused on improving the cybersecurity posture of federal agencies and beyond. The official announcement of Touhill’s appointment came in a recent blog post by Federal Chief Information Officer Tony Scott and Special Assistant to the President and Cybersecurity Coordinator J. Michael Daniel.

Touhill, a retired Air Force brigadier general, will move from his current position as the Deputy Assistant Secretary for Cybersecurity and Communications in the Office of Cybersecurity and Communications (CS&C) at the Department of Homeland Security (DHS), where he has been focusing on improving the protections of government networks and critical infrastructure. In the new role, Touhill will assume a government-wide oversight of cybersecurity policy, planning and implementation across the federal government.

The White House’s announcement also included the appointment of Grant Schneider, currently the director for Cybersecurity Policy at the National Security Council, as the acting deputy CISO.

In creating the new gov-wide CISO role, Scott and Daniel noted that in “looking at successful organizational models across government, it became apparent that having a career role partnered with a senior official is not only the norm but also provides needed continuity over time.”

As one might anticipate, the announcement elicited almost immediate reactions among federal insiders that got picked up in the media. Since the position is a political appointment, Touhill’s immediate tenure may only last through the end of the Obama Administration, which is entering what many consider the traditional lame duck period of a presidency as the focus turns to the current presidential and congressional elections. That said, Touhill’s experience may be viewed as a much needed asset during the transitional period between administrations that has already begun with current leadership vacancies mounting and both Democrat and Republican transition team meetings underway with the Obama team.

So what might Touhill attempt to accomplish in the days he knows he has before the transition? Some of his recent public comments might provide clues. Speaking at a recent industry event, Touhill stressed the need for agencies to improve the communications between their cybersecurity staff and their operations managers, sighting cyber-pros’ tendency to focus on compliance.

Another big challenge he highlighted is that of the widespread prevalence of what many call “shadow IT” – any IT systems, software, or devices that are deployed without the knowledge or oversight of the agency’s CIO or cybersecurity staff.

These challenges and others – involving both IT management and cybersecurity issues – have a large cultural component to them, so affecting change in the short term may be difficult, especially with the shifting sands of the transition only gaining in tempo. Yet, many in career leadership positions within agency IT shops will continue to serve in those positions and an administration transition may afford a prime opportunity to make some cultural and operational adjustments that achieve some long-term gains.