Director, CERT Division,
Software Engineering Institute
Carnegie Mellon University

Chair,
ISACA Board of Directors

Greg Touhill

Building a Safer and Secure Cybersecurity Ecosystem

Retired Brigadier General and highly-decorated combat veteran Greg Touhill is thankful for his 30 years of public service in the United States Air Force (USAF) because it provided him with the time and place to hone his leadership skills. Touhill served in several commands around the world, including U.S. Transportation, Central and Strategic Commands, and spearheaded the creation of USAF’s cyberspace operations training programs. “The military was my leadership laboratory and the crucible upon which I forged my leadership skills initially,” he says. “I can’t thank my senior non-commissioned officers who taught and trained me as a lieutenant through general enough.”

One of Touhill’s stand-out accomplishments is leading the team that created RIPRnet (Radio-over-Internet Protocol Routed Network). Developed to help better support troops driving convoys in Iraq, RIPRnet is a U.S. military network that allows system controllers and deployed personnel to connect radios in remote locations to local dispatch consoles exchanging radio voice data over an IP-routed network.

“It was a transformational, lifesaving radio network that gave every soldier, sailor, airman and marine the ability to communicate on any radio, secure or unsecure, anywhere in Iraq so they could call for help when under attack,” he explains. For this effort, Touhill and his team won the 2006 Air Force Science and Engineering Award for Engineering Achievement, and he was awarded the Bronze Star medal. Later, during a assignment in Kuwait, Touhill and his wife received a briefing from a young private in the Army who talked about all the lives RIPRnet had saved. While the private was unaware of who Touhill was, he says, “Being away from my wife and children for 13 months was all worth it because she got to hear firsthand about why our work is so valuable and why it matters.”

While he’s already had a distinguished career, Touhill believes he is at the pinnacle of his career now, serving as Director of the CERT Division at Carnegie Mellon University’s (CMU) Software Engineering Institute (SEI). “CERT is made up of absolutely brilliant individuals, all who are very clued in and queued into the practical aspects of cybersecurity — not just technology,” he says.

Leading a group of researchers, software engineers, security analysts and digital intelligence specialists, Touhill and his team work to research security vulnerabilities in software products, as well as contribute to long-term changes in network systems, and develop cutting-edge information and training to improve cybersecurity.

For nearly 30 years, the CERT Division of the SEI has collaborated with government, industry, law enforcement and academia to improve not only cybersecurity, but also the security and resilience of critical computer systems and networks. Initially, CERT focused on incident response. Now, working closely with the Departments of Defense and Homeland Security, the research organization is dedicated to all areas of cybersecurity, including insider threats, digital investigations and intelligence, vulnerability discovery and analysis, risk management, cyber workforce development, forensics, network situational awareness, malicious code analysis and more.

When first founded, the CERT Division was tasked with identifying and stopping the scope of the 1988 Morris worm — often referred to as the “Great Worm” due to the devastating effect it had on the internet at the time. “Thanks to this collaborative effort, the Morris worm was able to be stopped. Then, the greater cybersecurity community was founded. Since then, we’ve learned that it’s much more than just emergency response. We need to have a more disciplined and proactive approach to cybersecurity.”

Since his arrival at CERT, Touhill has been focused on rebranding and pivoting to a new strategy toward cybersecurity engineering, risk and resilience. “Taking us from the reactive computer emergency response to a more proactive cybersecurity, engineering and resilience team is important because we have to ensure we’re doing cyber for engineering, and engineering for cyber. Thus, we are focused on building resiliency and security in to software, hardware, and the interconnected nature of our cyber ecosystem. Whether it’s information technology, operational technology, industrial control systems or the Internet of Things, we’re broadening our aperture to include all of that so that we can build a safer and secure cyber ecosystem.”

While he helps CERT rebrand and pivot, Touhill has leveraged his experience and leadership skills to set his team’s vision, priorities and tempo. “It has been said by many that ‘You can’t boil the ocean’ and be successful. As a leader, you need to make sure to not only set the purpose and priorities, but also to set the conditions for success. Great leaders prioritize what needs to be accomplished. Then, let people amaze you with their creativity.”

At this stage of his career, Touhill says he’s focused on better elevating cybersecurity, advancing the workforce, and ensuring the cyber ecosystem is moving toward a more digital trust-focused environment. One of the many ways he’s helping achieve those goals is by serving as the Chair of the ISACA Board of Directors, the Washington Executive Cyber Council, the Billington Cybersecurity Advisory Board and as a Member of the AFCEA Cyber Committee, the Faculty at the Carnegie Mellon University’s Heinz College and Deakin University’s Centre for Cyber Security Research and Innovation.

At these organizations, Touhill develops, lectures and guides several CISO, Chief Information Officer, and Health Care Informatics certification programs. In addition, he advances strategy development, planning, governance, risk assessment and mitigation, and best practices; oversees outreach and ensures open lines of communication between government and industry; advises government leaders on technology; and identifies cyber best practices to better ensure national security and prosperity.

Touhill also gives back to the industry by sharing his wisdom and knowledge with the next generation, serving as a mentor to five Texas-based AFCEA cyber professionals and as a mentor and coach to a recent Penn State graduate, all of whom are launching their careers in the cybersecurity career field.

As a member of the Military Cyber Professional Association Board of Advisors, Touhill also mentors active-duty and former military members and those transitioning from the military to positions in the private sector. He says, “Cybersecurity is not just about technology. It’s about people, processes and technology. If we focus on better understanding how we can develop the leaders of tomorrow, we can build an even safer and more secure cyber ecosystem.”

These cybersecurity professionals are bridging the cybersecurity skills gap, championing diversity and focusing on how to make the industry safer and more successful as a whole.