Cyxtera Blog: Data Centers

Written by Gregory J. Touhill on November 07, 2019

Advice from First US CISO Brig. Gen. (Ret.) Touhill: Top Security Concerns

What are the top security concerns for government and large companies? Retired Brigadier General Gregory J. Touhill, first Federal Chief Information Security Officer of the United States, answers in part one of the series.


Government agencies and large companies are pushing a rock uphill attempting to secure the many workloads, networks and devices from ever-present threats. So when asked recently what the top security steps I advise government agencies and large companies to take, here’s my recommendation.

    1. Keep security simple for the user and the operator. If it is difficult in any way, the user will ignore it or go around it. And if it’s difficult for the operator, mistakes will be made; systems will be misconfigured, patches missed and vulnerabilities introduced. Make your primary objective to make security difficult for an attacker to breach, not difficult for users or operators.
    2. Treat information as an asset and employ proportionate defense. Not all information is equal; don't waste precious resources over-protecting some assets while under-protecting others.
    3. Avoid target fixation. Cybersecurity is not just about technology, it involves people, process, and technology. Unfortunately, IT teams become fixated on technology. And while technology plays a role, you need to ensure that you have the right people, with the right training, implementing the right processes with the right technology to achieve your mission.
    4. Remove outdated technology. Implement what I call Touhill’s law: the idea that 1 human year = 25 computer years. If you are running a system and software that are six years old you are operating the functional equivalent of flying a 150-year old airplane. It still may get the basic job done, yet it exposes you and your organization to increased risk. As an example, if you look at VPNs, they are a technology that introduces too much complexity and are hundreds of years old under Touhill’s law. VPN management chews up the majority of time in an IT department’s firewall team, drills a hole in the firewall and breaks your intrusion detection system. We need to get rid of VPNs and replace them with technology for the modern, hybrid world – a software defined perimeter. It addresses the simplification of cybersecurity.

    In my next post, I’ll discuss advice for executives looking to modernize their IT.