• Jeremy Seth Davis

Gregory Touhill: "Take a punch and keep on going"

Jeremy Seth Davis met with Brigadier General (ret.) Gregory J. Touhill, President of AppGate Federal Group and first Federal Chief Information Security Officer of the United States, at the RSA Conference to discuss resiliency, prioritization, and the difficulties of managing risk to zero.


This transcript has been edited slightly for clarity.


We're honored to be joined here by Gregory J. Touhill. Let's start with the Air Force. There's a lot to talk about there. In terms of the issues that we look at, in addressing the biggest cybersecurity challenges that we have right now, resiliency is the biggest issue.


Thanks, Jeremy, you know, frankly, I'm not an aviator by trade because I couldn't pass the eye test when I was 18. But I still wanted to serve in the Air Force gave me a great opportunity for 30 years, one month in three days to serve our country and you're absolutely right, you know, if you take a look at resiliency, regardless of what profession you're in, and cyber security is all about risk management, it's not all about the technology. But I learned in the Air Force, you got to be able to take a punch and keep on going you have to build in resiliency, you have to take a look at your risk and try to manage it and many folks look at cybersecurity and try to manage to zero and that's not practical. Cybersecurity is a factor of people process and technology. Ultimately, what you want to do is based upon your risk profile, your risk acceptance level and frankly, the value of your information, you want to manage that risk to acceptable levels. You have to build in resiliency so you can take that punch and keep on going. Regardless if that punch is coming from a hacker, a nation state actor group criminal groups or just plain careless, negligent or indifferent people within your own ranks.


You mentioned many professionals try to manage to zero which is, of course is not a possibility. It's not feasible, it's not possible and that brings us to one of the other biggest issues that risk managers face is prioritization there are just so many things flying at you at all times. It's immensely difficult to prioritize risk and manage risk with so many changes constantly occurring. Let's talk about that your experience in the Air Force, and then also as well as your experience as the first CISO of the United States federal government, as well as your experience at DHS, because prioritization of courses is key in all of those areas. What would your approach be today, if you were leaving those organizations today, with the complex threats that we face now?


I think it would be unchanged from where I was when I was still in the role as the federal chief information security officer and one role that you didn't mention, and perhaps you didn't know is, I remain a professor of cyber risk management at Carnegie Mellon and, and I've written a couple of books and texts about this and ultimately, I would start with the information itself, at the core of what you're trying to do as a cyber-professional, is maintain the integrity, the availability, and frankly, the security of that information that you're the custodian of most folks sadly, don't know the value of their information. They don't know how much information they have, where it is, and under what conditions it's stored. Frankly, on top of that, most folks don't understand what their high value assets are. So as you're putting together a strategy, I think the first thing you have to do is understand your information itself. I don't want to spend $10, protecting a penny's worth of information, and that I spent $10 protecting $100 million of information, I want to have proportionate defense. So the first step is understanding your information and then aligning your defenses based upon the value of that information. From a strategy standpoint, that's where I find the best organizations, the most mature ones are following that type of approach and I recommend that to the audience.


You have spoken about the need for cybersecurity professionals to think like hackers to think differently from the culture that they operate in and to think differently from the values that they may hold them may have brought them to their current role. It's a unique challenge. I'm sure it has been a unique challenge in your throughout your career. Many of those cybersecurity professionals who are most able to understand hacker culture and who are best equipped to think like a hacker, find that it's challenging for them to work both in the roles that you've worked in government and in defense and much of our audience now works in the financial sector, which faces similar challenges. I would love to hear some of your thoughts on how professionals who work in those three sectors can be most successful at thinking like a hacker and yet, and understanding the culture and yet also navigating the complex dynamics in the institutions in which they work?


That's a great question and frankly, when I was in the Air Force, and then later as Deputy Assistant Secretary of DHS and director of the NCCIC, the National Cybersecurity and Communications Integration Center, I was very active with my own teams to try to think like a hacker and when I was at us transportation command, as well as at DHS, I helped promote and fund and resource teams that would do active pen testing, outside as well as inside vulnerability scans and tried promoting efforts to think like a hacker and use tactics, techniques and procedures that were very commonly used by hacker communities, we would invest so that we would send people to conferences like black hat, and other engagements where the hacker community, the white hats and black hats, and all those get together, often, particularly in government, folks try to stay away from that thinking, Oh, well, you know, that's criminal like behavior and frankly, a lot of hacking definitely is criminal behavior. But if you don't understand it, if you don't understand their motivations or tactics, techniques and procedures, you are more likely to fall victim to them and one of the things that I think every organization out there, and particularly the risk managers, in our audience today is, if it ain't funded, it ain't is something that I learned in the military. So you actually have to plan strategically to fund and program and plan for activities to make sure that your workforce is properly trained and aligned and has the tools so that they like a hacker can go out there and test your defenses, so that you can find your weakness and deal with it before that really bad day happens and then you're faced with the oh my gosh, situation and doing cleanup on aisle six. Spending money now will invariably be a lot cheaper than doing the cleanup after the mess happens. Culture, trumps everything, so starts at the top. Top leaders need to step forward and say it is a priority for us to think like a hacker evaluates our risk based upon what we learned through the eyes of the hacker. We're going to do pen testing, we're going to do vulnerability scans, and we're going to view them as key critical metrics from which we're going to make decisions. I think that's a good start for any organization out there.


You mentioned that really bad day when that day is coming. Let's talk about that for a moment. What are the threats that keep you up at night that you're most concerned with right now?


Well, you know, as I take a look at the whole landscape, I I put them into six buckets. You've got vandals that are out there, and you know, vandals could be anybody who has a grudge and wants to go like spray paint on a website. They're motivated by a cause or a theme. You have burglar so the financially motivated, they're trying to steal information and then take that information and use it for financial gain. You've got muggers, you know, Sony Pictures, I think felt like they got mugged a couple of years ago. But we see that you know from cyber bullies in high schools, you know, all the way to nation state actors who are doing mugging on the internet now. You also have saboteurs are very dangerous, where it could be an insider or an external actor that could do sabotage and deny you access to information tamper with information in the light.


You got spies and they could be external threats like nation state actors folks seeking intellectual property. Or it could be somebody on the inside who's trying to leverage access to information for a cause. But 95% of all the threats that we responded to from our US cert or the industrial control system cert, and we continue to see this day in and day out is from careless negligent or indifferent people in our own ranks. People make mistakes and these systems that we've put together are increasingly complex. I think that maybe one of the countermeasures to be more resilient is to keep things simple. Instead of adding additional layers and making it even more and more difficult to operate and manage, maybe we need to take a step back from time to time as we're managing our risk and take a look at complexity is an issue that we need to address, because carelessness negligence and indifference is by far, statistically speaking, the greatest risks that we suffer.


It's a pleasure speaking with you today, General. Thank you so much for participating and joining us.