In an information technology environment where personnel are taking on increasingly complex responsibilities, the key to ensuring security is still awareness training, says former U.S. CISO Gregory Touhill.
"A congressman asked me when I took my post as the first federal CISO: 'If I gave you an extra dollar, how would you spend it on cybersecurity?' And I told him I would spend it on better training my people. I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk," Touhill says in an interview with Information Security Media Group.
Training at All Levels
Touhill calls for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies.
"Board and C-suite officers are increasingly large targets for whale phishing," Touhill says. "Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce."
In this interview (click on player beneath image to listen), Touhill discusses:
- The effectiveness of techniques such as gamification;
- Why he believes sporadic training fails;
- His recommendations for improving training in 2018.
Touhill is president of the Cyxtera Federal Group at Cyxtera Technologies and teaches cybersecurity and risk management for the CISO certification program at Carnegie Mellon University's Heinz College. President Barack Obama in 2016 tapped Touhill to be the first U.S. CISO, a post he held until the end of the Obama administration. Previously, he served as deputy assistant secretary for cybersecurity and communications and director of the National Cybersecurity and Communications Integration Center. Touhill is a retired Air Force brigadier general.