First US Federal CISO Shares Security Lessons Learned

Greg Touhills advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.

INSECURITY CONFERENCE - Washington, DC - Greg Touhill encouraged his audience of security leaders, whom he dubbed the cyber neighborhood watch, to swap war stories and lessons learned during his keynote at Dark Readings inaugural INSecurity conference, held this week in Washington, DC.
As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.
One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who speak a different language than we do, he explained.
I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff, said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.
One of Touhills lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.
Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but cant explain what it means or how much its worth. Its tough to know where to prioritize security if you dont know which data is most valuable.
Information is one of the most valuable assets any business, any operation has, Touhill emphasized. Look at your infrastructure, look at how you architect. Know the value of your information and dont try to defend everything. Defend what you need to defend.
Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud, he pointed out.
Touhills lessons extended to security employees. Humans fail all the time, he said, but you can bring down the risk of catastrophic events by training people and making sure theyre appropriately resourced. Hardening the workforce is critically important.
People are your weakest link but also your greatest assets, Touhill continued. Its up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to think like a hacker and be very suspicious.
The sentiment extended to another lesson: have a zero-trust model. Most security pros havent taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and be skeptical. Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.
Were raising a generation of folks who are freely surrendering their privacy - your privacy - by giving up information and not recognizing the value of it, Touhill said.
Other lessons touched on security fundamentals. He urged the audience to identify where they arent mastering basics or being consistent. How many times has someone gotten breached and left the backdoor open? he asked, relating his advice back to thinking like a hacker.
Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if theyre not, they will take advantage of it.
Ultimately, along with protective measures and strategies, leaders must also be prepared for a really bad day, he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often dont.
In the best organizations, everyone participates in cyber exercises and drills - even the boards and the CISOs. A bad day is going to come for each and every one of us, Touhill emphasized.
Related Content:
Why Security Depends on Usability -- and How to Achieve Both
Developers Can Do More to Up Their Security Game: Report
8 Low or No-Cost Sources of Threat Intelligence
Time to Pull an Uber and Disclose Your Data Breach Now

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
First US Federal CISO Shares Security Lessons Learned