Shaping the future – National Initiative for Cybersecurity Advancement

In an age where digital technology permeates every facet of our lives, the importance of robust cyber resilience cannot be overstated. It’s a field where constant innovation and adaptation are paramount, and where experts like Greg Touhill are at the forefront of the battle to protect our digital realms. 

I recently had the opportunity to engage on the issues and explore Greg’s insights and experiences at the Software Engineering Institute, where he is engaged in pioneering research and development designed to keep cyberspace safe and resilient. In our podcast and interview, we delve into a groundbreaking project he’s spearheading – the National Initiative for Cybersecurity Advancement – which promises to shape the future of cybersecurity.

Greg is a seasoned cybersecurity leader and has had a remarkable career dedicated to safeguarding the digital infrastructure of the United States. His journey to the Software Engineering Institute is replete with service in pivotal positions, including his appointment by President Barack Obama as the first Federal Chief Information Security Officer of the United States, the Deputy Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security, and Director of the National Cybersecurity and Communications Integration Center (NCCIC). Greg’s passion for defending the nation’s cybersecurity is evident in his dedication to advancing the field.

The Software Engineering Institute: A Crucible of Innovation

Currently, Greg directs the Carnegie Mellon University Software Engineering Institute’s CERT Division. The Software Engineering Institute is a federally funded research and development center chartered by the United States Department of Defense. This institution serves as a crucible of innovation, where some of the brightest minds in the field converge to tackle complex challenges.

One of the distinguishing features of the Software Engineering Institute is its commitment to a broad spectrum of research and development activities. In our interview, Greg highlights that their endeavors range from pure research, where they push the boundaries of what’s possible, to applied research that seeks practical solutions to real-world problems. It’s this comprehensive approach that makes the Institute a driving force in the field of cybersecurity.

The National Initiative for Cybersecurity Advancement: A Glimpse into the Future

At the heart of our discussion with Greg is the criticality of achieving resilience for organizations of all stripes – a concept that he and his team are laser-focused on through the National Initiative for Cybersecurity Advancement. This initiative represents a paradigm shift in how we approach cybersecurity. Instead of merely reacting to threats, it sets a visionary path to anticipate and mitigate them. Greg, echoing hockey legend Wayne Gretzky, emphasizes the importance of skating to where the puck will be, not where it currently is. This forward-looking approach is at the core of the National Initiative.

To make this vision a reality, Greg and his team have identified five critical elements – The Five Pillars of Cybersecurity Advancement – that constitute the bedrock of cybersecurity advancement:

  1. Visibility: Enhanced insight into data and transport mechanisms.
  2. Awareness: Widespread awareness beyond cybersecurity professionals.
  3. Usability: Simplification of complex systems to reduce vulnerabilities.
  4. Capability: Development of practical and meaningful cybersecurity tools.
  5. Flexibility: Adapting to various environments, architectures, and devices.

These five pillars, collectively addressing different facets of the cybersecurity ecosystem, are set to raise the bar significantly on cybersecurity, with benefit for all.

Proactive Measures and Community Building

Our interview with Greg reveals another critical pillar: community.  We discussed in great detail how the cybersecurity community must continue to actively share knowledge and collaborate. Community also figures prominently in the forthcoming report, the “National Initiative for Cybersecurity Advancement: Shaping the Future of Cybersecurity Engineering”. While the report is intended for the Department of Defense, its relevance extends far beyond government circles. It’s a document designed to benefit the entire cyber ecosystem.

Greg also commends the efforts of organizations like the National Association of Corporate Directors and the FBI’s Internet Crime Coordination Center (IC3) in promoting cybersecurity awareness and information sharing. These initiatives play a pivotal role in making cybersecurity a priority not only within organizations but also at the executive and board levels.

The Complexity Conundrum

One of the key observations I made after attending this year’s RSA conference was the complexity that still plagues the cybersecurity industry. Despite the promises of “single pane of glass” solutions from many vendors, according to my conversations with senior leaders, the reality often falls short. We raised the issue with Greg and, in turn, he pointed to an essential question: How can cybersecurity vendors work together to improve the public-private partnership and simplify the cybersecurity landscape?

While there is broad acknowledgement that cybersecurity vendors genuinely strive to enhance security, which is also reflected in the survey results in our State of Cyber Resilience Report, they must balance this with shareholder and stakeholder interests as they strive to meet needs. However, the proliferation of proprietary solutions and, occasionally, the lack of adherence to best practices, such as open systems and open software, have contributed to the complexity.

A Call for Simplicity

Complexity, as Greg points out, has become the bane of security. In a world where cybersecurity threats continue to evolve, organizations cannot afford solutions that require months of training and specialized expertise to operate effectively. Our discussion reveals the importance of products that are “secure by design and secure by default.” This means that cybersecurity solutions should be easy to install, preconfigured for security, and not require extensive education or training. Complexity should not be a barrier to cybersecurity.

The Integration Challenge

In parallel, organizations are often burdened with a patchwork of cybersecurity tools that don’t seamlessly work together. Our interview with Greg surfaced that when evaluating new products, security leaders at all organizations should consider how these solutions will simplify their existing infrastructure and reduce costs. The ability to retire outdated tools and enhance the overall cyber fabric should be central to any cybersecurity investment.

The Legal Landscape

Shifting gears, our discussion turned to the rapidly changing regulatory space and legal aspects of cybersecurity. At Red Sift we have been paying close attention to the class-action lawsuits and regulatory fines that have become more prevalent in recent years and to the many changes in regulations that underpin the push to greater resilience. These legal actions are often a result of organizations failing to disclose cybersecurity issues promptly. Greg noted that the Securities and Exchange Commission (SEC) has been gradually increasing its focus on cybersecurity, requiring publicly traded companies to adhere to best practices and disclose cybersecurity risks.

A Cultural Shift

Greg’s insights touch upon a significant cultural shift that is necessary for organizations to embrace cybersecurity fully. It’s not just about implementing the right tools; it’s about fostering a culture of cybersecurity awareness and responsibility throughout the organization. The ability to ask the right questions and make informed decisions about cybersecurity is paramount. We should continue to stress that cybersecurity is not solely an IT issue but a fundamental business imperative, a vision shared by Greg.

The Path to Cyber Resilience

Our conversation also delves into the concept of cyber resilience and emphasizes that cyber resilience is not just a buzzword but a tangible goal. As Greg puts it, organizations should strive to be able to “take a cyber punch and keep on going.” This requires a proactive approach, continuous improvement, and a commitment to best practices.

The work being done by Greg Touhill and his team at the Software Engineering Institute is of paramount importance. The National Initiative for Cybersecurity Advancement is a testament to the vision of a safer digital world. As individuals, organizations, and communities, we must heed the call to elevate cybersecurity, share knowledge, and build a cyber neighborhood that is truly resilient against threats. It’s a journey that demands innovation and our collective commitment to secure our digital future.

To listen to the full Resilience Rising podcast with Greg Touhill, click the link below.

PUBLISHED BY

Sean Costigan

5 Dec. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more