Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Greg Touhill: How an Air Force Lieutenant Became One of Cybersecurity's Top Guns

Security Pro File: After leading cyber efforts in the military, DHS, and the federal government, the former Federal CISO now sets his sights on new security technology.

It was a typical day at McChord Air Force Base in the early 1980s. A box had arrived at the command post. Lieutenant Gregory Touhill, a recent ROTC graduate on his first assignment, opened the box and looked inside. It was a desktop computer – still a new concept in most bases and businesses, not long after IBM introduced the first PC in 1981.

A skeptical colonel peered inside the box. "What the hell's that?" he growled.

"It's a computer, sir," Touhill replied.

"Well, you take it," the colonel said. "You're in charge of it."

More than 30 years later, retired Brigadier General Greg Touhill is still following those orders. In fact, he's taken charge of some of the largest and most complex computer communications and cybersecurity programs in the world. As an Air Force officer, he became one of the service's top communications and logistics leaders, earning three awards of the Legion of Merit and the Bronze Star. As a brigadier general, he was the CIO and Director of Command, Control, Communications, and Cyber Systems at U.S. Transportation Command – a $15.4B enterprise that won the NSA's Rowlett Award for the best cybersecurity program in the US government.

But he didn't stop there. In 2014, after his 30 years in the Air Force were complete, Touhill took his cyber skills to the civilian side of the US government. He was appointed to be the Department of Homeland Security's Deputy Assistant Secretary for the Office of Cybersecurity and Communications. He also served as the Director of the National Cybersecurity and Communications Integration Center (NCCIC).

In 2016, Touhill once again took charge of a major cyber operation, becoming the first Federal CISO ever appointed by the US government. US CIO Tony Scott and then-Cybersecurity Coordinator J. Michael Daniel cited Touhill's "considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices."

In fact, he was uniquely qualified for the job, having worked with not only with all branches of the service and most federal agencies, but with thousands of private contractors during his career.

Earlier this year, with a new administration coming into office, Touhill stepped down from his post as Federal CISO – a position that remains unfilled – and is now president of Cyxtera Technologies' Cyxtera Federal Group, where he is still leading efforts to break new ground in cybersecurity.

"I feel like my mission hasn't changed across all of these roles," says Touhill, who will be the keynote speaker at Dark Reading's INsecurity Conference later this month at National Harbor. "I've been in different positions, but I'm still protecting data for America. That's still what gets me going every morning."

Having held critical cyber roles in the US military, DHS, and in the federal government, Touhill has more than his share of CISO war stories – and, in his case, many of them are actual war stories. The U.S. Transportation Command had to protect information about the movement of supplies and equipment – key data that might tell the enemy where US troops were going. The organizations and systems he secured at DHS and the federal government were similarly attractive targets, where a bad mistake might cost not only sensitive data, but human life.

"I have seen a lot of things happen, but one positive thing I've learned is that as defenders, we're not as bad as we sometimes think we are," says Touhill, who has an optimistic, open demeanor that suggests more teacher or coach than brigadier general. "As professionals, we tend to focus on where we fail, and that's as it should be. But we also have to remember that the risk level is high, and it's really not so much about protecting everything – it's about managing risk." Touhill laid out his risk management strategy in "Cybersecurity for Executives," a book he published in 2014.

The risk equation is one that is familiar to most military officers -- and perhaps separates military cybersecurity from enterprise cybersecurity, where some CXOs still cling to castle walls and network perimeters. "Frederick the Great said that he who attempts to defend everything defends nothing," Touhill recalls from his Air War College training. "A lot of companies don't know what assets they have, and so they are trying to defend everything. It just doesn’t scale."

At DHS, Touhill had a front-row seat to some of the most serious online threats posed to US interests – both in government and in private industry. He became a driver behind cyber simulations and exercises that help defenders practice for "the very bad day that's going to happen," as he calls it. He helped to build and support federal cyber exercises such as Cyber Storm and GridEx, which allowed federal, critical infrastructure, and defense agencies to perform real tests of their cyber response systems, and identify weak spots that needed work.

"Many companies have trouble with incident response because they fail to practice," Touhill says. "Not only do they not rehearse the process, but they don't know all the participants. And I can tell you, the time to exchange business cards is not in the middle of a crisis. You need to know the people involved and the roles that they are going to play - before the bad day happens."

As the first Federal CISO, Touhill had a chance to begin building coordinated security initiatives across agencies, but he feels much more needs to be done.

"I believe it is critical that the new administration take action to appoint a new CISO to capitalize on our cybersecurity initiatives," Touhill says. "I believe cybersecurity is a non-partisan issue and we can't wait any longer for a Federal CISO. We need a highly qualified technical leader as the Federal CISO as soon as possible, because marking time in today's hotly contested environment is actually falling behind. I am hoping that Congress helps by making it a specified position in the next Federal Information Security Management Act (FISMA) as well."

Touhill's time working with federal agencies also pointed up another key issue he sees in private industry: too much reliance on older technology. "Touhill's Law says one human year equals 25 computer years," he says. "If you want an effective defense, you don’t rely on outdated technology. You don't fly a Wright Flyer against a MIG and expect to win."

That need for advanced, better technology was the primary reason why Touhill chose to take his new position at Cyxtera, an emerging technology vendor that is working on a wide array of next-generation security technologies, ranging from authentication to microsegmentation, deep analytics, and total fraud protection.

"I had a bunch of opportunities when my position as Federal CISO was not renewed, but I left them at the altar when I saw what Cyxtera was doing," he says. "The idea of a zero-trust model that can work anywhere, even in the cloud, is where we need to go. I feel like I'm in the right place for what comes next."




Things Touhill has carried over from military life: I walk fast. I eat fast. I don't sleep much. I'm up by 0500 and I still work out for an hour every morning before work.

What his co-workers don't know about him: I love Key lime pie. If you want to get me to do something, you can ply me with pie.

Electronic must-haves: A phone loaded with my family photos, music, and the Major League Baseball app.

Favorite hangout: Right next to my wife.

Comfort food: My wife's chicken pot pie. There is nothing better.

In his music playlist right now: I’m reliving my high school years. Queen's "Don't Stop Me Now" is playing; ELO's "Turn to Stone," and Journey's "Don't Stop Believing" were right before it.

Ride: A BMW. My wife has always wanted one. She asked for one when I was a first lieutenant, but I couldn't afford it, so I got her a dog. Twenty-five years later, we got the BMW.

After hours: I love baseball and writing. I have another book in the works.

Favorite team: The team that wears red, white, and blue: the Boston Red Sox.

Signature style: I wear red socks every chance I get.

Actor who would play Touhill in film: That's easy – Tom Hanks. People tell me I look like him.

Next career after security: Commissioner of Major League Baseball.


Meet Greg Touhill Nov. 29 at his keynote address for Dark Reading's INsecurity Conference. See the full agenda here.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...