Driving change in government is notoriously hard — but not impossible. GovernmentCIO Media sat down with those who made things happen to hear their stories on how they successfully drove change and transformation in a bureaucracy. One important takeaway: You don’t have to be in the C suite to make change happen; in fact, sometimes a senior position will be more of a straight jacket, stifling movement in right direction.
After a long military career, Greg Touhill found himself on the civilian side of government, taking on a role as the first U.S. chief information security officer in September 2016. He had been approached by Tony Scott, the federal chief information officer, and Michael Daniel, Barack Obama’s cybersecurity adviser, who knew Touhill from his previous roles as deputy assistant secretary and director of the National Cybersecurity and Communications Integration Center at the Homeland Security Department.
“Do the right things at all times, even when nobody's looking.”
After a series of interviews in the White House, Touhill was appointed to the position and charged with driving cybersecurity policy, planning and implementation governmentwide, a much-needed effort in the wake of the high-profile breaches the federal government had suffered in the preceding years.
The retired Air Force brigadier general was no stranger to change; he had had 23 different assignments in 30 years of service and was used to moving quickly. In the civilian government world, however, certain legislative obstacles slowed down things.
“I thought that some of the architectural constructs that we have are archaic and I still do,” Touhill says. “I think that the current architecture for the federal civilian government is based on the 1980s org chart, and it is time to leapfrog the federal IT architecture into the 21st century.”
As a young lieutenant, Touhill had met Navy Rear Adm. Grace Hopper, the legendary computer scientist pioneer, who said something that stuck with him: “As you go forward in your career, it is better to seek forgiveness than permission.”
“I kind of took that to heart,” Touhill says.
He says he was lucky to be paired with Scott, who trusted Touhill with making improvements without having to constantly ask for permission. Touhill knew what he wanted to focus on. He saw a leadership gap within the CISO community and thought a council convening security officers throughout government could help share best practices, identify better ways of governance and synchronize everyone’s actions.
He approached the federal CIO Council. He laid out not only why he wanted its endorsement but also seed money to administer a new CISO council.
“Frankly, some of the CIOs were a little skeptical about that, but we were able to make the business case for it, and within six weeks of my arrival, we not only had the CISO Council chartered but we had it funded and we had our first meeting,” Touhill says.
The inaugural meeting had over 70 people and their first priority was a governmentwide approach to shoring up the security of privileged user accounts. Touhill issued a challenge: Give all those accounts 100 percent multifactor authentication or turn them off.
Starting that journey, just 32 percent of agencies self-reported having multifactor authentication. By the end of December 2016, that number was over 90 percent.
“I think we left the campsite a whole lot better than we found it, but if I were still there, I would be focusing on guiding the architecture into the 21st century as opposed to trying to Band-Aid the old 20th-century inefficient and ineffective architecture that we have,” Touhill says.
Getting the job done was ingrained in Touhill from an early age. He grew up in a large Irish Catholic family with parents who encouraged him and his siblings to take a leadership role in everything they did.
Throughout his career, Touhill says he always hearkens back to the lessons his parents taught him: be inquisitive, treat people with dignity and respect and always try to understand the why.
“As an officer, you learn that you are a leader even when you don’t think that you are,” he says. “People watch you and see what you do and what you don’t do. It goes back to what I learned in parochial school: You’ve got to do the right thing even when nobody’s looking.”
Editor's note: This story has been updated to reflect the number of agencies self-reporting multifactor authentication increased to "over 90 percent" rather than "nearly 99 percent."