Shaping the future – National Initiative for Cybersecurity Advancement

In an age where digital technology permeates every facet of our lives, the importance of robust cyber resilience cannot be overstated. It’s a field where constant innovation and adaptation are paramount, and where experts like Greg Touhill are at the forefront of the battle to protect our digital realms. 

I recently had the opportunity to engage on the issues and explore Greg’s insights and experiences at the Software Engineering Institute, where he is engaged in pioneering research and development designed to keep cyberspace safe and resilient. In our podcast and interview, we delve into a groundbreaking project he’s spearheading – the National Initiative for Cybersecurity Advancement – which promises to shape the future of cybersecurity.

Greg is a seasoned cybersecurity leader and has had a remarkable career dedicated to safeguarding the digital infrastructure of the United States. His journey to the Software Engineering Institute is replete with service in pivotal positions, including his appointment by President Barack Obama as the first Federal Chief Information Security Officer of the United States, the Deputy Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security, and Director of the National Cybersecurity and Communications Integration Center (NCCIC). Greg’s passion for defending the nation’s cybersecurity is evident in his dedication to advancing the field.

The Software Engineering Institute: A Crucible of Innovation

Currently, Greg directs the Carnegie Mellon University Software Engineering Institute’s CERT Division. The Software Engineering Institute is a federally funded research and development center chartered by the United States Department of Defense. This institution serves as a crucible of innovation, where some of the brightest minds in the field converge to tackle complex challenges.

One of the distinguishing features of the Software Engineering Institute is its commitment to a broad spectrum of research and development activities. In our interview, Greg highlights that their endeavors range from pure research, where they push the boundaries of what’s possible, to applied research that seeks practical solutions to real-world problems. It’s this comprehensive approach that makes the Institute a driving force in the field of cybersecurity.

The National Initiative for Cybersecurity Advancement: A Glimpse into the Future

At the heart of our discussion with Greg is the criticality of achieving resilience for organizations of all stripes – a concept that he and his team are laser-focused on through the National Initiative for Cybersecurity Advancement. This initiative represents a paradigm shift in how we approach cybersecurity. Instead of merely reacting to threats, it sets a visionary path to anticipate and mitigate them. Greg, echoing hockey legend Wayne Gretzky, emphasizes the importance of skating to where the puck will be, not where it currently is. This forward-looking approach is at the core of the National Initiative.

To make this vision a reality, Greg and his team have identified five critical elements – The Five Pillars of Cybersecurity Advancement – that constitute the bedrock of cybersecurity advancement:

  1. Visibility: Enhanced insight into data and transport mechanisms.
  2. Awareness: Widespread awareness beyond cybersecurity professionals.
  3. Usability: Simplification of complex systems to reduce vulnerabilities.
  4. Capability: Development of practical and meaningful cybersecurity tools.
  5. Flexibility: Adapting to various environments, architectures, and devices.

These five pillars, collectively addressing different facets of the cybersecurity ecosystem, are set to raise the bar significantly on cybersecurity, with benefit for all.

Proactive Measures and Community Building

Our interview with Greg reveals another critical pillar: community.  We discussed in great detail how the cybersecurity community must continue to actively share knowledge and collaborate. Community also figures prominently in the forthcoming report, the “National Initiative for Cybersecurity Advancement: Shaping the Future of Cybersecurity Engineering”. While the report is intended for the Department of Defense, its relevance extends far beyond government circles. It’s a document designed to benefit the entire cyber ecosystem.

Greg also commends the efforts of organizations like the National Association of Corporate Directors and the FBI’s Internet Crime Coordination Center (IC3) in promoting cybersecurity awareness and information sharing. These initiatives play a pivotal role in making cybersecurity a priority not only within organizations but also at the executive and board levels.

The Complexity Conundrum

One of the key observations I made after attending this year’s RSA conference was the complexity that still plagues the cybersecurity industry. Despite the promises of “single pane of glass” solutions from many vendors, according to my conversations with senior leaders, the reality often falls short. We raised the issue with Greg and, in turn, he pointed to an essential question: How can cybersecurity vendors work together to improve the public-private partnership and simplify the cybersecurity landscape?

While there is broad acknowledgement that cybersecurity vendors genuinely strive to enhance security, which is also reflected in the survey results in our State of Cyber Resilience Report, they must balance this with shareholder and stakeholder interests as they strive to meet needs. However, the proliferation of proprietary solutions and, occasionally, the lack of adherence to best practices, such as open systems and open software, have contributed to the complexity.

A Call for Simplicity

Complexity, as Greg points out, has become the bane of security. In a world where cybersecurity threats continue to evolve, organizations cannot afford solutions that require months of training and specialized expertise to operate effectively. Our discussion reveals the importance of products that are “secure by design and secure by default.” This means that cybersecurity solutions should be easy to install, preconfigured for security, and not require extensive education or training. Complexity should not be a barrier to cybersecurity.

The Integration Challenge

In parallel, organizations are often burdened with a patchwork of cybersecurity tools that don’t seamlessly work together. Our interview with Greg surfaced that when evaluating new products, security leaders at all organizations should consider how these solutions will simplify their existing infrastructure and reduce costs. The ability to retire outdated tools and enhance the overall cyber fabric should be central to any cybersecurity investment.

The Legal Landscape

Shifting gears, our discussion turned to the rapidly changing regulatory space and legal aspects of cybersecurity. At Red Sift we have been paying close attention to the class-action lawsuits and regulatory fines that have become more prevalent in recent years and to the many changes in regulations that underpin the push to greater resilience. These legal actions are often a result of organizations failing to disclose cybersecurity issues promptly. Greg noted that the Securities and Exchange Commission (SEC) has been gradually increasing its focus on cybersecurity, requiring publicly traded companies to adhere to best practices and disclose cybersecurity risks.

A Cultural Shift

Greg’s insights touch upon a significant cultural shift that is necessary for organizations to embrace cybersecurity fully. It’s not just about implementing the right tools; it’s about fostering a culture of cybersecurity awareness and responsibility throughout the organization. The ability to ask the right questions and make informed decisions about cybersecurity is paramount. We should continue to stress that cybersecurity is not solely an IT issue but a fundamental business imperative, a vision shared by Greg.

The Path to Cyber Resilience

Our conversation also delves into the concept of cyber resilience and emphasizes that cyber resilience is not just a buzzword but a tangible goal. As Greg puts it, organizations should strive to be able to “take a cyber punch and keep on going.” This requires a proactive approach, continuous improvement, and a commitment to best practices.

The work being done by Greg Touhill and his team at the Software Engineering Institute is of paramount importance. The National Initiative for Cybersecurity Advancement is a testament to the vision of a safer digital world. As individuals, organizations, and communities, we must heed the call to elevate cybersecurity, share knowledge, and build a cyber neighborhood that is truly resilient against threats. It’s a journey that demands innovation and our collective commitment to secure our digital future.

To listen to the full Resilience Rising podcast with Greg Touhill, click the link below.

PUBLISHED BY

Sean Costigan

5 Dec. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more