This month, we announced an exciting new addition to our Bay Dynamics’ Board of Directors – Ret. Brig. Gen. Gregory Touhill. You may recall reading the many headlines and commentary about Gen. Touhill. He was the United States’ first federal CISO, appointed by President Obama, and currently is president at Cyxtera Technologies, leading its new Cyxtera Federal Group. Gen. Touhill is the perfect fit for Bay Dynamics, not only because of his more than 30 years of experience in the U.S. Air Force, where he served as one of the military’s most senior information technology and cyber leaders, or his time as the federal CISO as well as holding senior level information technology positions at more than a dozen private and public-sector organizations, but also because we have the same mindset. Gen. Touhill and our Bay Dynamics’ team believe cyber security is a risk management issue.
I spoke to Gen. Touhill to gather more information about this perspective and why he chose Bay Dynamics.
AR: Thank you for chatting with me, Greg. Through programs you have promoted such as Continuous Diagnostics and Mitigation, you have been a leader in pushing towards treating cyber security as a risk management issue. Why do you think this strategy is the right one for both the public and private sectors?
GT: First, it’s great to speak with you, Abby. I am excited about joining Bay Dynamics’ Board of Directors, especially since Bay Dynamics is leading the way in enabling organizations to quantify and better manage cyber risk. Organizations cannot be effective in protecting the assets that matter most if they cannot maintain the Confidentiality, Integrity and Availability of those assets. That requires a combination of people, processes and technologies, not solely technology. We are never going to reduce our risk level to zero, however we can manage risk more effectively. If we continuously train our employees (those inside and outside the security team); make sure cyber security policies and processes are kept up to speed and exercised regularly; and use technologies that enable us to stay ahead of the curve and make informed decisions, we will reduce the risk of our most valuable assets being compromised.
AR: Can you give an example of where using this combination of people, processes and technologies would have made a difference?
GT: When I was at the Department of Homeland Security, specifically regarding the US Computer Emergency Readiness Team (US-CERT) and the Industrial Control System Cyber Emergency Response Team (ICS-CERT), almost every breach we responded to happened because a criminal exploited a vulnerability related to a misconfiguration. All those incidents could have been prevented if someone did a better job configuring the technologies (including keeping patches up-to-date). If that person was regularly trained to make sure technologies, when deployed, were configured properly and if security tools were in place to identify and fix misconfigurations before the criminals found the vulnerability, risk would be better managed.
AR: Let’s break down the elements individually. The training of people is straightforward. Can you further explain how updated processes would make a difference?
GT: Process needs to be inculcated into the workforce, continuously improved and exercised regularly. So many organizations do not do a good job exercising their processes. It’s the due diligence aspect. Organizations must make sure their people are doing the right thing, and that they are doing the right thing in the right way. They must know their assets, identify those that, if compromised, would cause the most damage to the business, know who accesses those assets, and set policies for those people to make sure the good stuff stays in, the bad guys stay out, or an insider cannot move the good stuff out.
AR: Can you give an example that shows why keeping current on all technologies, not just cyber security technologies, is a must?
GT: In the case of the WannaCry ransomware, for example, Microsoft had repeatedly publicized for several years they were no longer patching Windows 95. Yet, organizations continued using the outdated Operating System, which was vulnerable to the ransomware. If organizations retired Windows 95 and switched to a current Operating System like a properly patched and configured Windows 10, they would have minimized their risk of falling victim to WannaCry.
AR: Let’s switch gears a bit. Bay Dynamics is the second board you now sit on, and I assume you have had other board or consultant opportunities. Why Bay Dynamics?
GT: I wrote a book, Cybersecurity for Executives: A Practical Guide, that published in 2013. One of the readers of that book was Bay Dynamics’ co-founder and CEO Feris Rifai. Feris and his team approached me and presented a demo of their Risk Fabric analytics platform. I was impressed how well the platform helps organizations, in a visually digestible way, understand their cyber risk posture at any point in time, and enables them to make decisions at all levels – whether it’s the board making investment decisions or the security team making mitigation decisions – based on the quantifiable impact to the organization. Risk Fabric is an important platform in helping boards, security and non-security executives, line of business application owners and others in the business identify and better manage cyber risk as part of an overall risk management construct.
AR: How do you foresee your role as a board member at Bay Dynamics fitting with your role at Cyxtera?
GT: Serving as the president of Cyxtera’s federal group is a great opportunity. We have a great business of world-class data center co-location services, innovative software-defined perimeter capabilities, and unparalleled analytics that help departments and agencies in the federal government as well as the private sector better manage their cyber risk. Risk Fabric complements what I am doing at Cyxtera in that it helps decision makers identify and quantify cyber risk, using a unique methodology that no other company in the marketplace applies. I think my role at Bay Dynamics is a good fit with my role at Cyxtera. Having my feet on the ground with Cyxtera but also assisting Bay Dynamics helps me be a better officer at Cyxtera and a better board member at Bay Dynamics.
AR: Do you think companies in general should have at least one board director who is a cyber expert? The Cybersecurity Disclosure Act of 2017 was introduced back in March, which mandates public companies disclose the level of cyber expertise on their boards. That’s a step towards getting more cyber expertise on the board.
GT: There is value for large companies in having cyber expertise on the board, especially for companies who are engaged in critical infrastructure activity. However, for smaller to medium sized companies, it may not be a good fit. Regardless, having someone who is cyber security smart, whether it’s a director or a consultant advising the board, is a must. If you don’t have room on your board for that skillset, you should have access to that skillset and regularly consult with that person. Boards need to make informed risk decisions and in today’s Internet-enabled world, not having access to the experience and skillset of a cyber professional could sink a company.