In an age where digital technology permeates every facet of our lives, the importance of robust cyber resilience cannot be overstated. It’s a field where constant innovation and adaptation are paramount, and where experts like Greg Touhill are at the forefront of the battle to protect our digital realms.
I recently had the opportunity to engage on the issues and explore Greg’s insights and experiences at the Software Engineering Institute, where he is engaged in pioneering research and development designed to keep cyberspace safe and resilient. In our podcast and interview, we delve into a groundbreaking project he’s spearheading – the National Initiative for Cybersecurity Advancement – which promises to shape the future of cybersecurity.
Greg is a seasoned cybersecurity leader and has had a remarkable career dedicated to safeguarding the digital infrastructure of the United States. His journey to the Software Engineering Institute is replete with service in pivotal positions, including his appointment by President Barack Obama as the first Federal Chief Information Security Officer of the United States, the Deputy Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security, and Director of the National Cybersecurity and Communications Integration Center (NCCIC). Greg’s passion for defending the nation’s cybersecurity is evident in his dedication to advancing the field.
The Software Engineering Institute: A Crucible of Innovation
Currently, Greg directs the Carnegie Mellon University Software Engineering Institute’s CERT Division. The Software Engineering Institute is a federally funded research and development center chartered by the United States Department of Defense. This institution serves as a crucible of innovation, where some of the brightest minds in the field converge to tackle complex challenges.
One of the distinguishing features of the Software Engineering Institute is its commitment to a broad spectrum of research and development activities. In our interview, Greg highlights that their endeavors range from pure research, where they push the boundaries of what’s possible, to applied research that seeks practical solutions to real-world problems. It’s this comprehensive approach that makes the Institute a driving force in the field of cybersecurity.
The National Initiative for Cybersecurity Advancement: A Glimpse into the Future
At the heart of our discussion with Greg is the criticality of achieving resilience for organizations of all stripes – a concept that he and his team are laser-focused on through the National Initiative for Cybersecurity Advancement. This initiative represents a paradigm shift in how we approach cybersecurity. Instead of merely reacting to threats, it sets a visionary path to anticipate and mitigate them. Greg, echoing hockey legend Wayne Gretzky, emphasizes the importance of skating to where the puck will be, not where it currently is. This forward-looking approach is at the core of the National Initiative.
To make this vision a reality, Greg and his team have identified five critical elements – The Five Pillars of Cybersecurity Advancement – that constitute the bedrock of cybersecurity advancement:
- Visibility: Enhanced insight into data and transport mechanisms.
- Awareness: Widespread awareness beyond cybersecurity professionals.
- Usability: Simplification of complex systems to reduce vulnerabilities.
- Capability: Development of practical and meaningful cybersecurity tools.
- Flexibility: Adapting to various environments, architectures, and devices.
These five pillars, collectively addressing different facets of the cybersecurity ecosystem, are set to raise the bar significantly on cybersecurity, with benefit for all.
Proactive Measures and Community Building
Our interview with Greg reveals another critical pillar: community. We discussed in great detail how the cybersecurity community must continue to actively share knowledge and collaborate. Community also figures prominently in the forthcoming report, the “National Initiative for Cybersecurity Advancement: Shaping the Future of Cybersecurity Engineering”. While the report is intended for the Department of Defense, its relevance extends far beyond government circles. It’s a document designed to benefit the entire cyber ecosystem.
Greg also commends the efforts of organizations like the National Association of Corporate Directors and the FBI’s Internet Crime Coordination Center (IC3) in promoting cybersecurity awareness and information sharing. These initiatives play a pivotal role in making cybersecurity a priority not only within organizations but also at the executive and board levels.
The Complexity Conundrum
One of the key observations I made after attending this year’s RSA conference was the complexity that still plagues the cybersecurity industry. Despite the promises of “single pane of glass” solutions from many vendors, according to my conversations with senior leaders, the reality often falls short. We raised the issue with Greg and, in turn, he pointed to an essential question: How can cybersecurity vendors work together to improve the public-private partnership and simplify the cybersecurity landscape?
While there is broad acknowledgement that cybersecurity vendors genuinely strive to enhance security, which is also reflected in the survey results in our State of Cyber Resilience Report, they must balance this with shareholder and stakeholder interests as they strive to meet needs. However, the proliferation of proprietary solutions and, occasionally, the lack of adherence to best practices, such as open systems and open software, have contributed to the complexity.
A Call for Simplicity
Complexity, as Greg points out, has become the bane of security. In a world where cybersecurity threats continue to evolve, organizations cannot afford solutions that require months of training and specialized expertise to operate effectively. Our discussion reveals the importance of products that are “secure by design and secure by default.” This means that cybersecurity solutions should be easy to install, preconfigured for security, and not require extensive education or training. Complexity should not be a barrier to cybersecurity.
The Integration Challenge
In parallel, organizations are often burdened with a patchwork of cybersecurity tools that don’t seamlessly work together. Our interview with Greg surfaced that when evaluating new products, security leaders at all organizations should consider how these solutions will simplify their existing infrastructure and reduce costs. The ability to retire outdated tools and enhance the overall cyber fabric should be central to any cybersecurity investment.
The Legal Landscape
Shifting gears, our discussion turned to the rapidly changing regulatory space and legal aspects of cybersecurity. At Red Sift we have been paying close attention to the class-action lawsuits and regulatory fines that have become more prevalent in recent years and to the many changes in regulations that underpin the push to greater resilience. These legal actions are often a result of organizations failing to disclose cybersecurity issues promptly. Greg noted that the Securities and Exchange Commission (SEC) has been gradually increasing its focus on cybersecurity, requiring publicly traded companies to adhere to best practices and disclose cybersecurity risks.
A Cultural Shift
Greg’s insights touch upon a significant cultural shift that is necessary for organizations to embrace cybersecurity fully. It’s not just about implementing the right tools; it’s about fostering a culture of cybersecurity awareness and responsibility throughout the organization. The ability to ask the right questions and make informed decisions about cybersecurity is paramount. We should continue to stress that cybersecurity is not solely an IT issue but a fundamental business imperative, a vision shared by Greg.
The Path to Cyber Resilience
Our conversation also delves into the concept of cyber resilience and emphasizes that cyber resilience is not just a buzzword but a tangible goal. As Greg puts it, organizations should strive to be able to “take a cyber punch and keep on going.” This requires a proactive approach, continuous improvement, and a commitment to best practices.
The work being done by Greg Touhill and his team at the Software Engineering Institute is of paramount importance. The National Initiative for Cybersecurity Advancement is a testament to the vision of a safer digital world. As individuals, organizations, and communities, we must heed the call to elevate cybersecurity, share knowledge, and build a cyber neighborhood that is truly resilient against threats. It’s a journey that demands innovation and our collective commitment to secure our digital future.
To listen to the full Resilience Rising podcast with Greg Touhill, click the link below.
