Written by Greg Touhill on November 11, 2019

Advice from First US CISO Brig. Gen. (Ret.) Touhill: Modernizing IT

The first Federal Chief Information Security Officer of the United States gives advice for executives looking to modernize IT.


In the first part of my series, I offered advice on top security concerns for government and large companies. In the second part, now I look at IT modernization and the security change that’s needed.  Using Touhill’s Taxonomy for Change, there are three main areas to focus on.

1. Age.  

People, hardware, and software depreciate and become less effective with time. Consider the age of your systems, process, software, etc. and ask the following questions to determine whether you need to modernize them:

  • Is it beyond its useful life?
  • Is it more expensive to operate than modern solutions?
  • Is it less secure than modern solutions?
  • Are there better solutions to meet the mission function?  

If you are attempting to modernize IT without modernizing your security, that will be problematic. You need to accept that modernization requires a cultural change throughout all the technologies, people and processes you’ve built your business on.

2. Approach.

Do you have the right strategy to meet your mission? Traditional security models rely on a “Defend everything equally at the perimeter” approach, which crumbles and fails when confronted by modern threats. Today’s modern systems cannot be secured with outdated security models. A new strategy is needed to protect your information and it should be rooted in Zero Trust.

Zero Trust is the principle of never trust (whether a user is privileged or not). First coined by Forrester and now widely accepted, a “Zero Trust approach never assumes trust; instead, it continuously assesses “trust” using a risk-based analysis of all available information.” Great organizations who implement the Zero Trust strategy take an identity-centric approach to securing their information. In a hybrid world, where their information is on-premises, collocated, on mobile devices and in multiple clouds, they implement tools that works everywhere their information resides. Otherwise you’ll continue to drown in complexity and be inundated with manual tasks from legacy and siloed solutions. The Zero Trust Model is positively transforming how we approach better securing information in today’s hybrid infrastructure world.

3. Audit.

Many executives rely on third parties to support their operations. These third parties include functions such as contract personnel performing IT and security operations, cloud providers hosting your data, and system integrators. Unfortunately, not many executives check the work to ensure they get what they paid for. To make informed cyber risk decisions, you need to have the right data. Spend time ensuring you have the right data and can make informed decisions. Ensure you include penetration testing into your security audit regime and regularly audit your operations to ensure they are delivering effective, efficient, and secure results.

In my final post offering advice to executives, I look at data center security trends.