Summary
Join Dr. Sean Costigan from Red Sift as he converses with Gregory Touhill, the first Chief Information Security Officer (CISO) of the US Government and a distinguished cybersecurity expert. In this insightful episode, Touhill shares his wealth of experience from leading the Software Engineering Institute’s (SEI’s) CERT division, serving in the Obama administration, and his extensive military career.
The discussion delves into the National Initiative for Cybersecurity Advancement, emphasizing the critical aspects of visibility, awareness, usability, capabilities, and flexibility in cybersecurity. Touhill reflects on the evolution of cybersecurity from a technical issue confined to server rooms to a strategic concern at the boardroom level, underlining its integral role in risk management.
Touhill’s influential book “Cybersecurity for Executives: A Practical Guide,” is highlighted, showcasing the enduring relevance and adaptation of his insights over time. The podcast also explores his current focus and effort at the Software Engineering Institute and his forward-looking perspective on cybersecurity’s future.
Key takeaways from this episode include the importance of proactive cybersecurity measures, the necessity of cybersecurity education across all sectors, and the urgent need for enhanced information sharing within cybersecurity communities. This episode is a treasure trove of knowledge for anyone interested in the critical field of cyber resilience.
Episode Links
Follow Greg Touhill on LinkedIn: https://www.linkedin.com/in/gregorytouhill/
Follow Sean Costigan on LinkedIn: https://www.linkedin.com/in/seancostigan/
Get Greg’s book “Cybersecurity for Executives: A Practical Guide” on Amazon
Read more about the SEI at https://www.sei.cmu.edu/
Get the Cyber Resilience Report from Red Sift here: https://blog.redsift.com/cybersecurity/red-sifts-global-state-of-cyber-resilience-report/
Episode Transcript
[00:00:00] Sean: Hi, I’m Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and this is Resilience Rising. [00:00:09] Sean: We’re talking today with Gregory Touhill. Greg is the Director of the CERT division – the SEI’s world-renowned CERT division. That is where he leads a diverse group of researchers, software engineers, security analysts, and digital intelligence specialists working together to research security vulnerabilities and software products, contribute to long-term changes in network systems, and develop cutting-edge information and training to improve the practice of cybersecurity.Greg Touhill was appointed by former President Barack Obama to be the first CISO (that’s the Chief Information Security Officer) of the United States Government. And previously he served in the Department of Homeland Security as Deputy Assistant Secretary in the Office of Cybersecurity and Communications.
Before joining the Software Engineering Institute, he was the President of AppGate Federal, a provider of cybersecurity products and services to civilian government and defense agencies. Touhill is a 30-year veteran of the US Air Force, where he was an operational commander at the Squadron Group and Wing Levels.
He’s also a combat veteran. He’s a recipient of numerous awards and decorations, including the Bronze Star Medal and the Air Force Science and Engineering Award. He retired from the Air Force with the rank of Brigadier General.
A member of many organizational boards and committees and recipient of many awards, Greg was recognized by Security Magazine as the most influential – as one of its most influential people in cyber, in security and by Federal Computer Week and Federal 100. He’s a co-author of books and we’ll be talking about one of them – and his plans to perhaps make some changes if there are gonna be any to that – “Cybersecurity for Executives: A Practical Guide,” and “Commercialization of Innovative Technologies.”
So welcome Greg once again and thank you so much for taking time.
First question, if you don’t mind. What are you working on these days? I know there’s going to be quite a bit and we’re so excited to hear.
[00:01:55] Greg: I’m very fortunate to work here and continue my service to the country at the Software Engineering Institute, which is a federally funded research and development center, chartered by the United States Department of Defense.And my team and I have been engaged in a wide variety of research and development activities that range from pure research all the way into applied research. And one of the really exciting projects that we’re coming to conclusion on right now is a research project that we call the National Initiative for Cybersecurity Advancement.
It is a research study that is evolving into a plan of action or a call to action for the future of cybersecurity engineering. And we’ve taken a look at the state of cybersecurity as well as looking where it ought to be. Doing like Wayne Gretzky in hockey, trying to skate where the puck is going to be, as opposed to, staying in a corner where it currently is.
And we’ve been using, I think, a very interesting taxonomy in our research and taking a look at five elements of the cyber security experience and where we can get better in all five. And if we address all five, we think of the community – those who produce the software, those who produce the hardware, those who do the networking, even the users.
If you address these five, we think we’re gonna raise the bar on cybersecurity. And we chose a pathway for research and development in all five areas. And those five areas are visibility. We need to have better visibility into the status of our data and our transport mechanisms and such.
Awareness is much more than just the cyber professionals. It’s everybody in the cyber domain and the cyber ecosystem. We need to be aware of the situations around us. In the military, we call that situational awareness.
The third is usability. We have so many products that come out and they’re complex. They’re so complex, they confound users, and we see continued misconfigurations that are exploited by adversaries. And I think complexity is the bane of security. And one of the leading causes of cybersecurity breaches is stuff that is basically too complex for most users. And we address that in our study.
The last two are capabilities. We want to make sure that our research and development efforts across the community of interest really produce meaningful capabilities that are useful in the environment today as well as tomorrow.
And then as part of that, the fifth attribute is flexibility. We have too many things that are very specific to a specific device or type of application. And, having flexibility that can work on, a product that can work easily regardless of is it a TCP IP based network or is it some other network? Is it an Apple device? Is it an Android device? Is it a Windows space device? I want the flexibility to be able to use those types of tools across different architectures and different mission sets in a manner that makes it easy for the operators.
So the users and taking a look at cybersecurity through those lenses of awareness and visibility and flexibility and capability. And the different attributes that we’ve identified with those five, I think are critically important.
We’re going to be delivering that report to our sponsors in the Department of Defense by the 30th of June.
I think it’s going to be a great document that will be useful outside the Department of Defense and across the whole cyber ecosystem because the DOD and its partners aren’t the only ones who are part of that cyber ecosystem. It really takes a whole community of researchers in government associated with government as well as in the private sector working together to make that cyber neighborhood even better for everybody.
[00:06:47] Sean: That’s wonderful news, Greg. Let me ask a follow on question about that report. So will it be publicly available? Is it unclass? And how will we be able to see it? [00:06:58] Greg: That’s a great question. And we actually wrote the report or are writing the report at the unclassified level so that it could be released by the department.And there is of course, a release process that the Department of Defense will follow, but we wrote it specifically so that it could be consumed and used by a wide audience. So I’m hopeful that the department and its process will move quickly so that we can widely share this report.
Sean: Brilliant. Does it have a name?
Greg: We’re calling it the National Initiative for Cybersecurity Advancement: A Plan of Action for the Future of Cybersecurity Engineering.
Sean: Love it. Great. Not an acronym either. That’s fantastic. Not yet. Yeah.
[00:07:47] Greg: You could say N-I-4-C-A, but I believe acronyms are an impediment to effective communication, so we avoid the acronyms as much as possible. [00:08:00] Sean: Greg, I’m keen to talk with you a bit about your book, “Cybersecurity for Executives: A Practical Guide,” which you wrote back in 2014. Think about 2014, we had the Sony attack and there are quite a few differences perhaps between what we see today in 2024 and what was happening a decade ago. Can you talk to us a bit about the motivations for your book in 2014, what you think was different then and what you think might have stayed the same today? [00:08:54] Greg: It’s a great question and I really appreciate the fact that you asked it. Just as a point of clarification, I actually wrote the book in 2013, and it took until June of 14 for the publisher to publish it. When I was going through the process of retiring from the military, I didn’t know exactly what I wanted to do for my next step.But through a process of talking with mentors and such I nailed it down that I wanted to continue my personal mission of better securing the United States and its national security and prosperity in the cyber domain. That’s really the sweet spot for what I’d been doing during my professional military career is defending America.
And I wanted to continue to do that. After 30 years, one month and three days of active duty service, I figured I still had a lot of tread on my tires and I could continue to serve in other ways. And Vice Admiral Retired Mike McConnell, former Director of National Intelligence.
He became one of those mentors and he suggested I continue my service to the country. And I said, ‘gee whiz, I didn’t even think I could do something like that.’ After the Air Force said, Hey, you’re done. We’re not gonna, we’re not gonna be advancing guys like you beyond that one star right now.
So it’s time for you to leave, make room for others. Next thing I know, I’m identified as the next deputy Assistant Secretary for Cybersecurity and Communications at DHS, and I knew that I had to go through the vetting process to assume a role like that.
So as I was preparing to go to DHS I had some time on my hands and I was teaching at Washington University in St. Louis and helped create a Master’s of Cybersecurity Management and a Master’s of Information Technology Management.
But my students were saying, you ought to really write a book. And I thought about it and I said, yeah I’ve got a lot of different experiences and most executives, and this was 2013, most executives don’t necessarily understand how things work and why.
And don’t necessarily have the tools to make informed cyber risk decisions because ultimately cybersecurity is not just a technology issue, it’s really a risk management issue for businesses everywhere. So I wrote towards that executive who isn’t a cyber professional, who’s an executive trying to get things done in their company and is trying to manage risk.
And that could be a business executive in the C-suite, it could be a board of directors member, it could be a middle manager who is trying to best manage risk in a very engaged information technology environment. So that was my motivation. And I actually delivered the text to my publisher the day before the Target breach was announced.
And, after the Target breach was announced I called the publisher’s rep and I said, you probably want to accelerate publication of this. But it took them actually longer to publish it than it took me to write it.
So that, that’s a little bit of background on that book
[00:12:30] Sean: Or maybe longer than Target took to remediate a complicated problem. [00:12:35] Greg: Let’s not bash Target because they were a victim. [00:12:38] Sean: No. I mean that – I’m bashing publishers – because Target did, they were a victim and they did a fantastic job in response.So let me ask you a follow-up because this is really about our adversaries and the adversaries that you see in cyberspace.
So they clearly are availing themselves with new technologies. They’re always being creative. That organizations are getting better. In the time that you’ve been looking at this problem, are they also availing themselves with new technologies and getting better? Or is complexity causing other problems?
[00:13:07] Greg: There’s a lot to unpack with that question. Yeah. First of all, when I was writing the book back in 2013 we were in an era where cybersecurity was still firmly a server room issue where, oh, you gotta. ‘Somebody’s trying to hack into us, Hey, you cyber people, you know it, people go fix that. Make it go away.’Now, and I hope that my book has helped some folks really reframe the cybersecurity issue from the server room where it used to be back in 2013, to the boardrooms where it is today. And during the interleaving time, I’ve had a lot of different jobs where I’ve tried to help shape that conversation and bring the conversation as cybersecurity is a risk issue and one that needs to be on the agenda, not only in the server room community, but in the boardrooms and the classrooms, in the dining rooms.
It needs to be something that we need to be addressing throughout our culture because our societal elements, our business the way we educate ourselves, the way we communicate the way we do our banking and shopping, all of this has become reliant on a fabric of exquisite tools and communications and information technologies and software-intensive systems.
But each thing as it moves into the fabric of our lives really boils down to there’s a risk to our data. There’s a risk to our privacy. There’s a risk to our intellectual property. We need to have conversations about that risk if we want to be good stewards of our data, our intellectual property, our knowledge, our privacy, which is an intrinsic part of what we want to protect along with civil rights, civil liberties, intellectual property, and competitive advantage.
So I think in the 10 years since I wrote this book we’ve seen improvements, but we have a long way to go. And here in America, we need to have a very open and public conversation about what we want privacy to look like. In the coming 10 years, particularly with the advent of large language models and artificial intelligence, the growth of machine learning and such privacy, civil rights and civil liberties, I think is something that is on the precipice.
And we need to have that very informed discussion in the public discussion and how we want to go forward. And I think that’s something that most Americans don’t necessarily have themselves postured to look at. But that’s a conversation that I’m hoping to help influence as we move forward.
Sean: There are glimmers of hope though, aren’t there? If we think about what’s happened in the EU and in the United States with the SEC, there’s so many new provisions and efforts that are underway that I think there’s movement in the right direction. What do you think?
[00:15:58] Greg: Thank you. There’s glimmers of hope everywhere. And, for me and my team here at Carnegie Mellon and the CERT division of the Software Engineering Institute we’re very engaged in multiple forums out there.And one of those many glimmers of hope and growth we’ve been doing some work with the National Association of Corporate Directors and NACD, that acronym, the National Association of Corporate Directors has embraced the role of executives in cybersecurity.
And we’ve actually as a CERT team provided content to NACD for basically cyber certifications for their executive certification programs that NACD runs. And over the course of the last couple of years, we’ve seen tens of thousands of board of director members and aspirants that have taken that cybersecurity certification course through the National Association of Corporate directors.
And I think that’s been really helpful in bringing the conversation. On cybersecurity to the top of the agenda in America’s boardrooms and really framing it as a risk management issue. So I’m really proud of the work my team here at CERT has been doing to help not only the Department of Defense but also those companies that are part of that critical infrastructure supporting national security and national prosperity.
So we’re building up a lot of momentum and we continue to see corporate America embracing the call to action to provide better security of our data, our privacy and such.
[00:18:00] Sean: That’s just excellent. It’s another glimmer of hope, Greg. And when you fight the work, particularly of the National Association of Corporate Directors and what they’re doing, I know you’re deeply aware of it, but for our audience, there’s a new [00:18:00] Director’s Handbook on Cyber Risk Oversight, which was recently released.And its first principle is that the directors need cybersecurity as a strategic enterprise risk, not simply as an IT risk. So that’s its first principle in concurrence with everything that you just said, a question comes to mind. I’ve been noodling on this for a while, and I know you have deep thoughts on it really gets back to how can organizations best inform right after they’ve had an incident?
Where there’s been an issue in cyberspace, and as a corollary, I think. One of the worries that many have is that there’s security fatigue that may be sitting in with organizations, either that people feel they may not be able to care as much because it’s becoming too commonplace to have cybersecurity incidents.
But how does that all resonate with you? What do you see in the future in terms of just who’s reporting out to whom?
[00:19:00] Greg: I think it’s an interesting conversation on the reporting and I think it starts with being honest. And if we think of ourselves in a neighborhood watch, the physical neighborhood watch, if one of my neighbors, his house gets broken into, or, somebody smashes the window of their car and grabs a purse or a phone or something that was left behind in the car.As a neighbor, I want to know about that because there may be a threat to my house or my car. We’ve set up a construct that goes back decades on being good neighbors and having those cyber neighborhood watches and sharing with our neighbors when there’s something unusual or potential threat in the neighborhood.
I’ve been a big proponent of what I’ve called, going back to the 2013, 2014 timeframe, the “cyber neighborhood watch.” And I believe it’s just being a good neighbor when if you’ve been attacked by a threat to share within that neighborhood, Hey, this happened to me, here’s the lessons learned.
This is what we’ve learned about ourselves as well as what we’ve learned about the aggressors out there, so that the whole neighborhood can learn from that and take proactive measures to lessen the risk of a subsequent attack on the neighbors.
Now, here in the United States, we’ve got if you’re a publicly traded company, the Security and Exchange Commissions has taken some of the lessons learned through the work my team did at DHS and are working through our sector coordinating councils across the 16 critical infrastructure sectors and best practices, a as well as information sharing that we were promoting in DHS and leveraging the lessons from the CERT here at Carnegie Mellon.
And now there’s guidelines for publicly traded companies as far as when to report how to report and the content on some of that mandatory information sharing.
But I’d much rather, instead of the government saying, you gotta do it this way and you gotta do it – I’d much rather see folks voluntarily sharing information. And we’ve seen a dramatic growth over the last 10 plus years of companies stepping forward and saying, ‘Hey, I, I had an incident. Here’s what happened. This is what we’ve learned and this is what we recommend.’
And I think a great example of that was during the Solar Winds breach where Kevin Mandia of Mandiant and FireEye, Kevin stepped forward and raised the alarm and said, ‘We detected a breach within our own company. And here’s what we learned. This is what has happened. This is how the adversary was able to get in, and here’s what you can do about it.’
That kind of leadership, we’re seeing more over and over again now as companies are sharing what happened to them and what to do about it, what the lessons learned are.
We’re seeing more people reaching out here in the United States, for example, to the Internet Crime Coordination Center or IC3. Where the FBI is saying, ‘Hey, please let us know when you’ve had an incident in your life. Your home, cyber life or your small business or whatever. Let us know when you’ve been victimized. Let’s see what we can do to help you.’
So I’m seeing growth in that and I’m encouraged by the transparency a lot of folks are proactively sharing. But I also am heartened by the government here in the United States saying, please do share. And if you are in fact a company that’s publicly traded SEC the Security Exchange Commission is that said, these types of incidents affect the value and the risk of companies.
And based on their charter, they have set some guidelines and it has really gotten the attention of business executives in private companies as well as publicly traded companies. And I think it’s really changing the landscape of information sharing, not only here in the United States, but around the world.
Sean: I’m really fascinated with your notion of a cyber neighborhood watch, and it brings to mind the broken windows theory, which was put into play in New York City. This notion that in a neighborhood, if a window’s broken, then there’s a fundamental [00:24:00] opportunity that crime follows opportunity. You see a broken window, and they’re able to get in, and they’re able to do damage.
[00:25:00] Greg: I think this is one of those things where if you take a look at that cyber neighborhood watch, you’ve got watch captains in the physical world. And within the cyber neighborhood, watch, think of the CERT, my organization as one of the watch captains. We’ve been – for – going back to 1988 when the CERT was formed as a part of the Software Engineering Institute, we’ve been dedicated to identifying best practices and bringing organizations together to look at the best practices and software engineering and cybersecurity engineering.And now with the Software Engineering Institute, artificial intelligence engineering as well. So I like to think of us as a watch captain within that neighborhood watch in the cyber domain to identify those best practices that are out there and how to code your applications better, how to configure your systems better. How to make sure that you in fact are using some of those best practices that we’ve identified, such as scanning on your inside of your network for vulnerabilities, but also scan your network from the outside, looking for those publicly facing vulnerabilities and fix them.
Looking at your web presence. We can continue to see folks that put up web pages that are just coded poorly and have fundamental weaknesses, enabling things such as cross-site scripting where if you don’t code your data entry properly, folks can put in command lines in your own webpage that say, ‘oh, I want to take command control of this data presence through a webpage.’
We’ve identified best practices for detecting those things and how to fix them front upfront. But that’s largely been proactive, or pardon me, that’s largely been a reactive type of measures. We want to continue to be very proactive and show folks how to do things right from the beginning. And that’s really where that National Initiative for Cybersecurity Advancement and those five areas, the awareness, the usability, capability, flexibility, and the capabilities here.
We want to be more proactive as a community and as that cyber neighborhood watch captain, I’m trying to make sure that we are being more proactive, locking those doors ahead of time, making sure that all the windows are shut, making sure that our code our, the software, the hardware and the humans, the wetware, are all secure by design and secure by default.
And we’re joined in that. Cyber neighborhood watch captains group by organizations such as what we see at the Department of Homeland Security with the CISA organization, the Cybersecurity and Infrastructure Security Agency, the folks at NSA’s Cyber Security Division, and the work that they’ve been doing.
There’s private sector and public sector and nonprofit organizations. Each one of them are part of that cyber neighborhood watch and provide great support to their communities of interest. I’ll give shout outs to the Information Sharing and Analysis Centers from the Critical Infrastructures.
They do great work and the Financial Services Sector ISAC is arguably the most mature and most effective, but everybody is part of that information sharing fabric. And together I think we can make the cyber neighborhood a better place.
[00:28:00] Sean: Thanks. Thanks, Greg. That gives us hope.So having just come out of RSA and seeing so many active vendors, and I know you’re a veteran of RSA and many RSAs, but seeing so many vendors at work and a lot of complexity still and it gives us some pause because I worry a little bit about what’s it look like if we have no single pane of glass?
You hear very many vendors saying, we’re going to give you a single pane of glass. But the reality is something different from what I can see. So how do you see cybersecurity vendors working together or in a way that improves the public-private partnership?
[00:29:00] Greg: I think every vendor that’s out there that I’ve run into they’re trying to do the right thing and but they’re also trying to do the right thing for their shareholders and stakeholders as well. And there’s a lot of really great ideas that are out there.However, I think there’s a great deal of fatigue amongst the business community with all the different products that are out there, and particularly the ones that are very proprietary and don’t follow some of the best practices that we at the Software Engineering Institute have been promoting such as leveraging open systems and open software, the proprietary code becomes a problem and the integration and interoperability becomes a problem as well.
There are some vendors out there who are promoting some really interesting products, but if it takes me 18 months to train up somebody to get to a modicum of performance where I don’t need to have a contracted expert looking over their shoulder, that value proposition diminishes considerably. And that complexity has really become the bane of security.
One of my colleagues here at the institute has said, ‘Greg, you say complexity is the bane of security. I say that simplicity is the arch nemesis of our adversaries.’ And I think that’s something for companies everywhere that are looking at products and services to really take it to heart – that we want things that are secure by design and secure by default, I should make it easy enough. I take it out of the box. It should be easy to install. It should come as much as possible, preconfigured. To be secure. Not, open up and then you’ve gotta have a PhD or years of training in order to properly configure and install this stuff.
Too many products out there require a great deal of education, a great deal of training, and that serves as an impediment to folks wanting to buy their products.
And if I can’t integrate it into my existing systems, then that becomes a problem. And as I’ve walked the floor of RSA and talked with many different vendors, one of the questions I like to ask is, if I buy this product, what do I get to retire in my own infrastructure? How does this make my infrastructure and my cyber fabric – how does that make it simpler? How do I reduce my costs? How do I retain, reduce my training costs for my personnel? How do I make it easier to hire people who can come in right away and use this tool? And unfortunately, almost every company when I ask those questions, they have a quizzical look on their face or they wave over somebody to try to help them because they don’t have really good answers on that.
And I think that’s a challenge for a lot of these startups, but it’s even a bigger challenge for some of the really large companies in the – the software, the network, and the, the data platform companies, the cloud providers. That becomes a huge issue for them because they don’t have those answers that are readily available.
I think most consumers – and I’m one too – don’t necessarily want to add layer upon layer and buy more and more. I want to control my costs from a business standpoint.
I want to make sure that I am adding security capabilities to protect my data and my intellectual property, my competitive advantage in the marketplace. I want to control costs. I want to add security, but I want to reduce my funding expenditure. And I want to provide greater value to my stakeholders and shareholders that are out there.
Companies out there are not talking about the value proposition, they talk about specific technical aspects, but not the user experience, not the business value. I think there’s a lot of work that we can do as a community to do better than all of the above.
[00:33:00] Sean: We talked a bit about the SEC’s new cybersecurity rules. What do you think about class action lawsuits? Do you think that lawsuits have helped shape the desire by business executives to get a jump on better cybersecurity measures?Greg: Oh, gee whiz. I’m not a lawyer, nor do I play one on tv. If you’re seeking legal advice from me, I would say to you where let’s talk though about the SEC, and I’m certainly not an expert in the Securities and Exchange Commission, nor do I want to be.
But the Securities and Exchange Commission, and you can take a look in in my ‘Cybersecurity for Executives’ book, because I do cite the SEC back then with the guidance that they had put out through, if I recall the acronym correctly, it’s CFDG2. So it’s in the index in the back. You can take a look.
But in essence, back around the 2010, 2012 timeframe, somewhere in that period of time, the Securities and Exchange Commission talked about finance as part of financial guidance and disclosures. They gave some guidance back then. And we’re talking now what 10 to 13 years ago the Security and Exchange Commission had recognized that you have value at risk.
So what we’ve been seeing out of the government and the regulatory mechanisms that are out there, is an evolution, not a revolution. So these class action lawsuits and some of the regulatory fines, I don’t see as revolutionary, but rather a consequence of evolution.
In some of those best practices, the widespread promulgation of those best practices. And then further, the proliferation of executive education and presence in, in the cyber – cyber management and risk management realms. The NACD course on cybersecurity that we talked about earlier in our conversation, the National Association with Corporate Directors, has been engaged for many years in educating executives on proper risk management, cybersecurity, and the like.
So I think, from a public standpoint, there’s been a long history now that extends past a decade of the warnings in the neighborhood. This is an issue, pay attention to this, here’s some of the best practices, here’s the things that you should be doing to protect not only your current investors, but prospective investors.
So the caution has gone out there, the information sharing has gone out there. And we’re at the stage now, and this is just my own personal opinion and does not reflect that of the commissioner, major league baseball, the SEC, the University or whatever. It’s just my opinion.
I think at some point there, folks who are looking out after the public good have said, ‘If you are not going to follow the best practices for prospective investors and current investors, there’s gonna be some consequences from the regulators. It’s got the attention of the regulators and you need to follow some of those best practices. And here’s where to look.’
And the SEC from my perch has been taking a very tempered approach over the last 10 plus years in putting up the calls to action for publicly traded companies. And some of the stuff that we’re seeing now is a consequence of that long history of identifying best practices and expectations for publicly traded companies.
[00:37:00] Sean: Thanks, Greg. Couple questions that we can take in order, I know they’re big thought questions, but as you know, the Biden administration has put a lot of stock into cyber resilience, and most recently there have been new orders and new plans that have been released. But the word resilience gets used a lot, doesn’t it?Sometimes it gets abused, as far as I’m concerned. It’s not just some fabled land. I think about this quite a bit, particularly because I’ve been working on a global resilience report. And when I think about it, then I have a question for you. What can organizations do to become more resilient? What does cyber resilience actually mean for them?
And not just to give lip service to this idea, but what’s it look like? And so I think it’s doable, and I bet you do too.
[00:40:29] Greg: Oh, I do. And as a matter of fact, over my bookshelf, I’ve got a bunch of books on resilience. Some were written here by some of my predecessors at CERT where this has been a concept.I think the first risk maturity model. And resilience maturity model publications came out of CERT back around 2004 timeframe and General Touhill got a copy of that real quick and started incorporating it into my organization. I think that some of the research that’s been done here at the Software Engineering Institute on Risk and Resilience and the linkage between the two has been groundbreaking, but it’s also nearly 20 years old.
We’ve got those publications here that we’ve widely shared, but I will tell you that General Touhill used that when I was, for example, the J6 or the Chief Information Officer of US Transportation Command to improve our operations. It wasn’t just defense, but it was to improve our operations and make us more resilient so that we could as I would tell my peers, so we could take a cyber punch and keep on going.
You need to have that resilience in your operations, because it’s a business imperative – it makes you better as a business. And it doesn’t matter if you’re in the military or critical infrastructure or it doesn’t matter what your business is. Resiliency gives you the opportunity to take that cyber punch, but keep on going.
So I’m heartened that it’s part of the conversation. And I know CISA has been citing a lot of the work that we’ve done here at the Institute, but also a lot of the work that when I was at DHS, that was part of our conversation as well. We’re shaping the environment so that you can, in fact, in the digital world, take that cyber punch and keep on going.
So there’s plenty of good documentation out there. I would recommend folks that you know, they can go to their favorite search engine and browse Carnegie Mellon and resilience are just go to our website at sei.cmu.edu and then the keyword search block just type ‘resilience.’
We’ve got lots of documentation that we’ve put out on our website for public consumption and best practices to measure resilience. And importantly, how do you articulate that in not only the boardroom, but in the classroom, the living room, wherever you are. How do you take a look at cyber resilience?
We’ve done some great work on that, and hopefully if you go to our website, we can help
Sean: So thinking about this a bit more, if we go back to what you were working on in 2014, how did you know that being able to ask executives would get to the right questions and that would help us all go further?
[00:41:00] Greg: I had over 30 years of experience as an officer in the military.And during my time, one of my jobs, I was an installation commander. I was commander of the 81st training wing in Keesler Air Force Base. I was in charge of 12,500 people in a community of about 35,000. I had a $3 billion budget that included all my operations and maintenance, the military construction to rebuild from Hurricane Katrina.
And I was a business executive. I was the largest employer in southern Mississippi, in 25 counties in Southern Mississippi. We had a huge economic impact even though you wouldn’t consider me a traditional business executive, darn I was, I had to manage all those different things and lead all those people.
So in the military, I got great training and experience being a leader. And leaders, lead people, managers manage stuff. And if you want to be a really good executive, you gotta be able to master both. And I learned several lessons during my military career that I cherish.
The first one is asking for help is a sign of wisdom, not of weakness. So that’s a lesson that a lot of executives perhaps have not managed to learn yet. But I sure did.
And I also learned the importance of asking the right questions. When you go in as a general officer or a colonel or, it could even be a chief master sergeant with stripes that start at the top of their shoulder and go all the way down to their elbow.
When you go in, you talk to some of the youngsters if you ask a question, they’re inclined to give you a yes/no answer as opposed to giving you the full story. And sometimes the full story is a little bit too much, so you gotta get to the heart of the issue. But ultimately, as a Senior Officer in the process, the decades that take you to become a General Officer sometimes you just have to ask the right questions.
And there’s an adage about asking five questions till you get to the right answer. So I came to the conclusion that those folks who could quickly ask the right question to get to the heart of the issue were the ones who weren’t gonna waste my time or yours, but they would be well enough informed to make informed decisions – the right decisions – in an effective and efficient way.
That’s where I came from with that.
Sean: Great thanks, Greg. I think we’re nearing the end of the time that we had with you. So let me ask back on cyber resilience. If you had a magic wand, you could wave one thing and you could get organizations to change and one direction or another with it. What would that one thing be?
Maybe it’s two things, I don’t know, but we’re giving you the magic wand. What does cyber resilience look like and how do you help organizations and executives and boards get there?
[00:44:00] Greg: I don’t think there’s one magic thing because every company is different. Every organization is unique in their own special way.If I did have that, that magic wand and the reign of terror started, I would do a couple of things. First of all I would use that magic wand to work with the software developers, the folks who developed the different tools and products that have really accelerated the economy and given us fantastic capabilities to do a much better job in making sure that their products are secure by design and secure by default.
We continue to be plagued by products that come out of the development process and try to get into the market to beat their competitors, but they have some fundamental flaws and weaknesses. And I’ve got a lot of patch fatigue, as do a lot of my colleagues. I think the community has become numb to the patch experience.
So the first magic wand ding goes towards the software development community to follow the best practices of DevSecOps that my colleagues here at the Software Engineering Institute created. Do a better job, make secure, bake security in from the start. Don’t make it a Frankenstein, bolt on at the end.
So that’s the first magic wand ding.
The second magic wand is I would change how we do the National Cyber Academic Excellence program here in the United States. Right now, with that program, you can become a National Cyber Center of Excellence if you’re a computer science program, if you show that you’ve got a really strong computer science program or computer engineering program and your back office stuff is managed from a cybersecurity standpoint. I don’t think it’s strong enough for today’s environment.
I don’t, I don’t want to stop on the cybersecurity conversation with the folks that are coming out of computer science and computer engineering courses. First of all, I’d make cybersecurity a core course for every student. I want my folks that are coming out of the College of Education that are gonna be our teachers – I want them cyber aware. And cyber smart. I don’t necessarily need them to make, I don’t need to make them technical cyber experts. I need them to be smart and aware of cyber and be able to pass it on to their students when they go to the podium and the rostam as the teachers.
I need the folks coming outta law school to be cyber smart and aware. I need folks out of all the engineering disciplines to be cyber smart and aware. I, I need the business school graduates to be cyber smart and aware. So I would use the second wand thing to change the national program as an incentive. If you are a university and you want to be a National Academic Cyber Center of Excellence, every student has to get a cybersecurity course.
That’s pretty radical in some circles, but I think that’s where I would use the wand as my second and because things should go in threes – for the third ding I would go to my partners in government and I would like to see the velocity of information sharing increase.
I, having served as a senior executive in Civilian Government at the Department level and then into the White House at the national level I’ve seen a lot of information that comes into the various sources of collection in the government and the intelligence community amongst others.
A lot of folks like to hold onto their information and they say, ‘oh sources and methods, we’ve gotta protect how we got this information.’
I don’t care how you got that information. I just want to know what’s the threat to the American public. And let’s get that out there as soon as possible.
And we don’t do as good a job as I think we can with the velocity and precision and how we articulate it with the ‘so what.’ Tell me what’s the issue, but also tell me why I should care. And I think there’s an opportunity for our government to increase the velocity and the precision of information sharing.
And when you do that, I think those other platforms such as our Critical Infrastructure Information Sharing and Analysis Centers, will trickle out to them. They’ll help pass the word and other mechanisms like professional associations, nonprofit, communities of interest, all of them will help share information up, down, and across that cyber neighborhood, watch in a much better manner.
Those are my three. Uses of the wand. The reign of terror would begin.
[00:49:00] Sean: That’s wonderful.Greg, thanks again for helping weave the complex fabric together on education, industry, nonprofits, and government. We’re all in it working together. And on that note, I just want to thank you again for your continued service to the nation and for the public good that you’re doing. It’s remarkable and we deeply appreciate it.
[00:54:29] Greg: My pleasure, Sean. And for our audience, once again, that is sei.cmu.edu. Looking forward to seeing you click on it.
