Touhill will be responsible for setting policies, strategies and practices across federal agencies. According to a White House blog post announcing the news, the role of the first federal CISO will include conducting Cyberstat Reviews with federal agencies to ensure security plans are implemented properly and are effective.
The appointment of Touhill is part of President Obama’s $19 billion Cybersecurity National Action Plan announced in February. It also comes on the heels of a scathing oversight committee report released this week on the U.S. Office of Personnel Management breaches that exposed sensitive data belonging to more than 22 million people.
According to those familiar with Touhill, he is well respected for his experience and long tenure in the information technology field. For the past two years Touhill has worked for the Department of Homeland Security as the deputy assistant secretary for cybersecurity and communications in the Office of Cybersecurity and Communications. Prior to that he worked in academia, IT consulting, as CIO for C4 Systems, and served 21 years with the US Air Force.
“It’s nice that the White House is acknowledging the importance of information security by putting the responsibility on top of one person. But whether Touhill can do anything other than provide general policy guidance is a big question,” said Ray Bjorklund, a former federal program manager and policy officer who is now a consultant with market research firm BirchGrove Consulting. “The Federal Government is made up of such a wide span of diverse agencies – each with their own funding. It’s hard for a central figure – be it CIO or CISO – to really control what the agencies are doing.”
According to a blog post by Tony Scott, U.S. Chief Information Officer, Touhill “will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies.”
The CISO will be part of the Office of Management and Budget reporting to Scott.
Jacob Olcott, a former congressional legal adviser on cybersecurity, said the role of CISO in the context of the Federal Government won’t be just setting policy and agendas, but also includes enforcing checks and balances. “One of the White House’s biggest challenges today is that it lacks the real-time, quantitative, data-driven metrics that are critical for accountability,” he said. “This job is not an operational job – that’s for the departments and agencies themselves. This is a job about measurement and accountability.”
The White House on Thursday also announced it filled the position of Acting Deputy CISO with Grant Schneider. Grant currently serves as the Director for Cybersecurity Policy on the National Security Council staff at the White House.
The White House has stepped up several initiatives around cybersecurity this year. Along with launching a National Cybersecurity Plan in February, in June President Obama signed a Cyber Incident Coordination policy directive on that puts processes in place for how the government will respond to malicious or accidental threats to the nation’s public and private cyber infrastructure. In March, the White House made efforts to renegotiate the divisive U.S. implementation of the Wassenaar Arrangement rules as they relate to intrusion software.