If you are being attacked, chances are pretty good somebody else in your industry is also under attack. And that is where information sharing can make a big difference
As the US government’s first chief information security officer (CISO) and now president of Cyxtera Federal Group, Gregory Touhill has an unparalleled view of the state of cybersecurity across the globe.
It has been two years since the retired Brigadier General stepped down from the post under President Barack Obama and joined the private sector.
The cyber landscape continues to evolve, he says, but one of the most significant changes he has seen is evidence that state actor groups - their employees, usually in the military - are in their private time engaging in cybercriminal activities.
“Some people do it as a side hustle,” says Touhill.
This, he explains, makes it extremely difficult from an attribution standpoint, to determine whether their actions are state-sponsored or solely criminal.
“Frankly, from my position, I treat them both the same.”
He adds that, “If you are an employee of a nation’s military, I still hope the military commander is responsible for what the troop does in their off duty time.”
“As a military commander, I sure know when my soldiers, sailors, and marines leave the base; the local police expect me to make sure they will be good citizens from a cybersecurity standpoint,” he states.
His firm views on command responsibility for cybersecurity stems from his experience across the military.
Before his appointment by President Obama to the CISO post, he was the deputy assistant secretary, Office of Cybersecurity and Communications, National Programs and Protection Directorate, Department of Homeland Security. In his last military assignment, he was Chief Information Officer and Director of Command, Control, Communications, and Cyber Systems at US Transportation Command.
First of all, retire the stuff that is not working or not working as well as it used to be
“Organisations of nation states should be held accountable for their folks and activities they are doing,” says Touhill.
In the private sector, the US has a series of laws both at federal levels and within states that if a person is engaged in illegal behaviour using the tools provided by that company, then that company can be held accountable for that criminal activity.
He shares that companies have been charged or fined for not properly controlling what is coming in and out of their cyber enterprises.
In his current role, Touhill talks to a range of C-suite executives, ranging from CEO, COO, CIO, and CFO.
The insights he shares with them have been distilled in his book, Cybersecurity for Executives, published in 2014.
“Regardless of who is in the C-suite, the discussion boils down to risks,” states Touhill, speaking to CIO New Zealand ahead of ISACA’s annual global technology conference, Oceania CACS, which will be held, for the first time, in Auckland.
“Ten years ago, the conversations were centred on technology,” he adds. “But as a new crop of C-suite leaders have emerged, those who have grown up with computers as a natural part of their business or personal life, the conversation is shifting to the discussion of risks.”
“That is very healthy, because cybersecurity is not just a technology issue. It is one involving people, process and technology.”
He says it starts with identifying the value of their information and going all the way to the disposition of that information throughout its lifecycle.
KonMari your security
He is all for keeping things simple, and this applies to cybersecurity: its policies and architectures.
“The more complex you make it, the easier it is to break it.”
“First of all, retire the stuff that is not working or not working as well as it used to be,” he advises.
To this, he turns to the ‘KonMari’ principles espoused by organising guru Marie Kondo.
“Marie Kondo talks about decluttering your house to get rid of things that don’t bring joy.”
“From a cybersecurity standpoint, we need to declutter,” he says, “to reduce the complexity for cyber operators with modern and secure tools that are more effective.”
He cites, “across the globe, we adopt a [technology] strategy that unfortunately leads to a kind of cluttering effect.
As an Air Force general, I learned you never fly into the cloud unless you know what is inside it or on the other side. From a cyber standpoint, you have to have that same level of caution
“We make our systems extremely complex. And then, we just layer on something new on top of the technology that we got last year. And then we keep on adding year after year.”
“For the user, this does not make their experience any better,” observes Touhill. “For the backend staff, the people who administer everything, it makes it horribly complex.”
He says this approach also adds to the cybersecurity workforce gap, because more people are needed in the backshop to manage all the equipment and tools.
According to Touhill, a great example of decluttering is with virtual private networks. VPNs really hit the market in stride in the 1990s, he says.
During that time, he has also coined ‘Touhill’s Law’, where one human year equals 25 computer years.
If you look at VPNs, they are hundreds of years old under Touhill’s law, he says. “That is old technology for people that manage firewalls.”
“VPN management chews up most of the time in their ageing firewalls in the department.
VPNs drill a hole in the firewall and neuter your intrusion detection system,” he states.
“We need to get rid of VPNs and replace them with what is called software defined perimeter, which is easier to manage.”
“That addresses the decluttering.”
The SecDevOps world
The shifting technology environment has also prompted him to update his book on cybersecurity.
He reveals that a new edition is coming out before the year ends with a chapter on ‘Flying into the clouds’.
“A lot of folks are embracing cloud technology, which, I think, is a wonderful thing. But in that chapter, I am sharing lessons learned how to successfully fly into the cloud.”
To this he shares an analogy to his military life. “As an Air Force general, I learned you never fly into the cloud unless you know what is inside it or on the other side.”
“From a cyber standpoint, you have to have that same level of caution,” he states.
It’s not DevSecOps...it is SecDevOps
He is adding a section on Zero Trust as a strategic approach to managing information.
“It is one I have embraced as a strategic model from a risk management standpoint.”
He reminds technology and digital leaders that it is not about DevOps or DevSecOps.
“It is SecDevOps,” he declares. “You need to make security your requirement upfront before you start building or buying something. And be secure by design.”
This time, he looks to the civilian world for a similar model. “I call it ‘the cyber neighbourhood watch’ concept,” he says.
“I would like to encourage people to be like, ‘if they see something they should say something,’ because nearly every cyber attack by a nation state or a criminal actor is not a specific target,” he stresses.
“It is part of an overall campaign. If you are being attacked, chances are pretty good somebody else in your industry is also under attack. And that is where information sharing can make a big difference.”
Addressing the cyber skills gap
Touhill discusses another challenge facing the industry - the huge dearth of qualified cybersecurity professionals.
He says there are innovative ways to get people in the security career field to offset some of these gaps.
“If we are smart about it, we can take people from other fields, give them the right training and education, and we can close the cybersecurity skills gaps in short order.”
He points out that government agencies can look at organisations to see who are underemployed, or who has been made redundant.
“For instance, autonomous vehicles are coming down the road and I see long haul truck drivers’ days are numbered. If I were still in government service, I will be working with Teamsters (unions) to start [training] some of those truck drivers to be cyber professionals.”
“It is important both to have continual education and training, as well as take a look at those jobs going away and being able to pivot away into those cybersecurity jobs.”
“If you are in a career field that you don’t like anymore or you have been made redundant and want to pivot to a cybersecurity role, make sure you have a basic understanding of how to use a computer.”
He says, “Most local governments, schools in the US and community colleges will offer that basic training. There is also a lot of great online courses as well.”
He says organisations like ISACA provide training and certification programmes.
Touhill, who serves as an ISACA board director, maintains the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) professional Cybersecurity certifications.
Never stop learning
On gaining the ISACA certification, he says, “That was a long sit down test of many hours, but it was worth it because it helped me focus as a senior leader in the cyber business.”
He was with the US Air Force for more than 30 years and says among the best cyber professionals working for him have previously been Air Force police officers or security forces.
“These people retrained in mid-career and became highly advanced technical experts in their field,” he discloses.
Touhill says there was also a clerical secretary who took some courses in computer programming. She went on to higher roles until she was one of the most senior civilians in information and cyber at the US Air Force.
“I don’t think there are any limits for training and reskilling,” he states.
Organisations can look inside their call centres. He says staff in these centres are in different tiers. “Tier 1 requires basic skills, and we can bump up these people to learn more and upskill to tiers 2 and 3.”
He notes that another source of cybersecurity staff are retired people or students who want to work part time.
“Internship and apprenticeship programmes are also a way to increase the pipeline of cybersecurity professionals.”
He shares that Cyxtera Technologies has launched an internship programme this year.
At a recent company conference, he met one of these interns who was assigned to the threat analytics team. “The student is working towards a bachelor degree in computer science and when he is not studying, he works on specific projects for the company,” says Touhill.
“When he graduates, he will join our company, which is great.”
He stresses the importance for those who wish to go into cybersecurity to get training certifications. “Never stop learning,” he adds.
There is a lot of great additional training available, he says. These can be through periodicals and going to different conferences.
“You can learn and share from your peers in those conferences,” says Touhill, who is an adjunct professor on cyber risk management at Carnegie Mellon University's Heinz College.
These conferences, according to Touhill, are a meeting of the “cyber neighbourhood watch” he earlier described.
We share what we are seeing in the threat environment and best practices on how to deal with that… In cybersecurity, you get bonus points for copying
“We gather as a community, we share what we are seeing in the threat environment and best practices on how to deal with that, because you never want to reinvent the wheel.”
“I like to say in cybersecurity, you get bonus points for copying,” he states.
He does, nonetheless, want cybersecurity training to permeate across all industries and professions as well.
“I think every career field really needs to have some cybereducation.”
He points out that several companies now recognise the fact that cybersecurity is expected not to be used as a cost centre, but a driver of the business.
Companies are also using their cybersecurity strategy as a marketing tool to help customers understand that they are implementing best practices.
“One of the things I have always been adamant on is this: Don’t fall for the trap of just going with compliance alone.
“I like to say compliance doesn’t bring you best practices, but best practice always brings you compliance.
“Compliance merely gives you the minimum and the minimum is not enough in today’s highly dynamic cyber world.”
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Send news tips and comments to email@example.com @divinap
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.