Wednesday, May 18 2022

Jeremy Seth Davis met with Brigadier General (ret.) Gregory J. Touhill, President of AppGate Federal Group and first Federal Chief Information Security Officer of the United States, at the RSA Conference to discuss resiliency, prioritization, and the difficulties of managing risk to zero.

This transcript has been edited slightly for clarity.

We’re honored to be joined here by Gregory J. Touhill. Let’s start with the Air Force. There’s a lot to talk about there. In terms of the issues that we look at, in addressing the biggest cybersecurity challenges that we have right now, resiliency is the biggest issue.

Thanks, Jeremy, you know, frankly, I’m not an aviator by trade because I couldn’t pass the eye test when I was 18. But I still wanted to serve in the Air Force gave me a great opportunity for 30 years, one month in three days to serve our country and you’re absolutely right, you know, if you take a look at resiliency, regardless of what profession you’re in, and cyber security is all about risk management, it’s not all about the technology. But I learned in the Air Force, you got to be able to take a punch and keep on going you have to build in resiliency, you have to take a look at your risk and try to manage it and many folks look at cybersecurity and try to manage to zero and that’s not practical. Cybersecurity is a factor of people process and technology. Ultimately, what you want to do is based upon your risk profile, your risk acceptance level and frankly, the value of your information, you want to manage that risk to acceptable levels. You have to build in resiliency so you can take that punch and keep on going. Regardless if that punch is coming from a hacker, a nation state actor group criminal groups or just plain careless, negligent or indifferent people within your own ranks.

You mentioned many professionals try to manage to zero which is, of course is not a possibility. It’s not feasible, it’s not possible and that brings us to one of the other biggest issues that risk managers face is prioritization there are just so many things flying at you at all times. It’s immensely difficult to prioritize risk and manage risk with so many changes constantly occurring. Let’s talk about that your experience in the Air Force, and then also as well as your experience as the first CISO of the United States federal government, as well as your experience at DHS, because prioritization of courses is key in all of those areas. What would your approach be today, if you were leaving those organizations today, with the complex threats that we face now?

I think it would be unchanged from where I was when I was still in the role as the federal chief information security officer and one role that you didn’t mention, and perhaps you didn’t know is, I remain a professor of cyber risk management at Carnegie Mellon and, and I’ve written a couple of books and texts about this and ultimately, I would start with the information itself, at the core of what you’re trying to do as a cyber-professional, is maintain the integrity, the availability, and frankly, the security of that information that you’re the custodian of most folks sadly, don’t know the value of their information. They don’t know how much information they have, where it is, and under what conditions it’s stored. Frankly, on top of that, most folks don’t understand what their high value assets are. So as you’re putting together a strategy, I think the first thing you have to do is understand your information itself. I don’t want to spend $10, protecting a penny’s worth of information, and that I spent $10 protecting $100 million of information, I want to have proportionate defense. So the first step is understanding your information and then aligning your defenses based upon the value of that information. From a strategy standpoint, that’s where I find the best organizations, the most mature ones are following that type of approach and I recommend that to the audience.

You have spoken about the need for cybersecurity professionals to think like hackers to think differently from the culture that they operate in and to think differently from the values that they may hold them may have brought them to their current role. It’s a unique challenge. I’m sure it has been a unique challenge in your throughout your career. Many of those cybersecurity professionals who are most able to understand hacker culture and who are best equipped to think like a hacker, find that it’s challenging for them to work both in the roles that you’ve worked in government and in defense and much of our audience now works in the financial sector, which faces similar challenges. I would love to hear some of your thoughts on how professionals who work in those three sectors can be most successful at thinking like a hacker and yet, and understanding the culture and yet also navigating the complex dynamics in the institutions in which they work?

That’s a great question and frankly, when I was in the Air Force, and then later as Deputy Assistant Secretary of DHS and director of the NCCIC, the National Cybersecurity and Communications Integration Center, I was very active with my own teams to try to think like a hacker and when I was at us transportation command, as well as at DHS, I helped promote and fund and resource teams that would do active pen testing, outside as well as inside vulnerability scans and tried promoting efforts to think like a hacker and use tactics, techniques and procedures that were very commonly used by hacker communities, we would invest so that we would send people to conferences like black hat, and other engagements where the hacker community, the white hats and black hats, and all those get together, often, particularly in government, folks try to stay away from that thinking, Oh, well, you know, that’s criminal like behavior and frankly, a lot of hacking definitely is criminal behavior. But if you don’t understand it, if you don’t understand their motivations or tactics, techniques and procedures, you are more likely to fall victim to them and one of the things that I think every organization out there, and particularly the risk managers, in our audience today is, if it ain’t funded, it ain’t is something that I learned in the military. So you actually have to plan strategically to fund and program and plan for activities to make sure that your workforce is properly trained and aligned and has the tools so that they like a hacker can go out there and test your defenses, so that you can find your weakness and deal with it before that really bad day happens and then you’re faced with the oh my gosh, situation and doing cleanup on aisle six. Spending money now will invariably be a lot cheaper than doing the cleanup after the mess happens. Culture, trumps everything, so starts at the top. Top leaders need to step forward and say it is a priority for us to think like a hacker evaluates our risk based upon what we learned through the eyes of the hacker. We’re going to do pen testing, we’re going to do vulnerability scans, and we’re going to view them as key critical metrics from which we’re going to make decisions. I think that’s a good start for any organization out there.

You mentioned that really bad day when that day is coming. Let’s talk about that for a moment. What are the threats that keep you up at night that you’re most concerned with right now?

Well, you know, as I take a look at the whole landscape, I I put them into six buckets. You’ve got vandals that are out there, and you know, vandals could be anybody who has a grudge and wants to go like spray paint on a website. They’re motivated by a cause or a theme. You have burglar so the financially motivated, they’re trying to steal information and then take that information and use it for financial gain. You’ve got muggers, you know, Sony Pictures, I think felt like they got mugged a couple of years ago. But we see that you know from cyber bullies in high schools, you know, all the way to nation state actors who are doing mugging on the internet now. You also have saboteurs are very dangerous, where it could be an insider or an external actor that could do sabotage and deny you access to information tamper with information in the light.

You got spies and they could be external threats like nation state actors folks seeking intellectual property. Or it could be somebody on the inside who’s trying to leverage access to information for a cause. But 95% of all the threats that we responded to from our US cert or the industrial control system cert, and we continue to see this day in and day out is from careless negligent or indifferent people in our own ranks. People make mistakes and these systems that we’ve put together are increasingly complex. I think that maybe one of the countermeasures to be more resilient is to keep things simple. Instead of adding additional layers and making it even more and more difficult to operate and manage, maybe we need to take a step back from time to time as we’re managing our risk and take a look at complexity is an issue that we need to address, because carelessness negligence and indifference is by far, statistically speaking, the greatest risks that we suffer.

It’s a pleasure speaking with you today, General. Thank you so much for participating and joining us.


Jeh Johnson: Critical infrastructure security “needs to be a focus for CEOs”


Grace Chi: "There's still a lot of ambiguity"

Check Also


Don’t Miss

Cyber Deals: Datadog, AutoRABIT, Teleport, YL Ventures

Corey Campbell

CYBERSECURITY VENTURE FUNDING AND MERGERS: This week’s largest venture rounds INVOLVED Identity and Access Management, email security, and API security. Observability and managed security TOOLS REMAIN STRONG TARGETS FOR STRATEGIC BUYERS. Funding SaaS observability company Observe, Inc. has secured $70 million in a series A-2 funding round with participation from Sutter Hill Ventures (SVH), Capital […]

Abnormal Security Raises $210M in Series C Funding Round


Abnormal Security, the leading AI-based cloud-native email security platform, announced today the close of a $210 million Series C round of financing led by global software investor Insight Partners, with participation from Greylock Partners and Menlo Ventures. With this round, the 4-year-old company is now valued at $4 billion. The move to hybrid work fueled […]

Datadog to Acquire Hdiv Security


Datadog, Inc. (NASDAQ: DDOG), the monitoring and security platform for cloud applications, today announced it has entered into a definitive agreement to acquire Hdiv Security, a leading security-testing software provider. The addition of Hdiv Security’s capabilities to Datadog’s Cloud Security Platform will enable a more comprehensive approach to application security. Hdiv Security’s product monitors application behavior to […]

Traceable AI Raises $60 Million IN Series B Funding Round


Traceable AI, the API security & observability company, today announced it has raised $60 million in Series B funding. This new funding values Traceable AI at more than $450 million. This investment round was led by Institutional Venture Partners (IVP), and other investors include Tiger Global Management and existing investors Unusual Ventures and BIG Labs. Traceable AI plans to […]

Network Perception Secures $13 Million in Series A Funding Round


Network Perception, innovators of operational technology (OT) solutions which protect mission-critical assets, announced today that it has raised $13 million in Series A financing. The funding round was led by The Westly Group with participation from Energy Impact Partners and other existing investors, including Serra Ventures, Okapi Venture Capital, Energy Foundry and SaaS Venture Capital. […]

Cyber Executive Moves: Accenture, CISA, Shift5

Julia Bischoff

The CISA and Department of Energy gain new cybersecurity veterans. CISOs Connect names a new president. Information technology management company Accenture appointed Paolo Dal Cin as global head of Accenture Security and as a member of Accenture’s Global Management Committee. Dal Cin has been with the company since 2003 and most recently led security teams […]