Gregory Touhill, federal chief information security officer at the Office of Management and Budget, has outlined five cybersecurity areas that he plans to prioritize as the first federal CISO.

Touhill wrote in a blog post published Wednesday that his office plans to build up recruitment practices, employee retention and skills development as well as leverage training and targeted education through the Cybersecurity Workforce Strategy.

He also cited the need to treat data as an asset and implement best practices in an effort to prevent data breaches and other cyber attacks within the federal government.

Touhill said his office will work to invest in efforts to update legacy information technology systems and adopt cloud and mobility platforms in order to reduce network vulnerabilities, as well as leverage metrics to facilitate the decision making process for cyber risk management.

He also mentioned the establishment of the Chief Information Security Officer Council that will work to facilitate collaboration among federal CISOs.

The White House appointed Touhill as the first federal CISO in September as part of the Cybersecurity National Action Plan that President Barack Obama unveiled in February.

The National Institute of Standards and Technology has issued a security guideline that works to address ways to engineer systems that can operate continuously amid various disruptions, threats and hazards.

NIST Fellow Ron Ross wrote in a blog post published Tuesday the Special Publication 800-160 Systems Security Engineering guide was developed after four years of research and development.

“Our fundamental cybersecurity problem can be summed up in three words—too much complexity,” Ross wrote.

“There are simply too many bases—all the software, firmware, and hardware components that we rely on to run our critical infrastructure, business, and industrial systems—for us to cover as it is, and we’re adding to the number of bases all the time,” he added.

Ross noted increased complexity gives adversaries “limitless opportunity” to attack vulnerabilities in underlying systems.

Fundamental weaknesses in system architecture and design can be mitigated through a “holistic approach” based on systems security engineering techniques and design principles, according to Ross.

The security engineering approach is designed to help systems block penetration; limit damage from disruptions, hazards and threats; and continue to support missions and business operations after security incidents, Ross stated.

Organizations should integrate engineering-based security design principles at physical and virtual levels to address vulnerabilities, Ross said.

Navy Adm. Michael Rogers, director of the National Security Agency, has said the “arbitrary lines” between public and private property have resulted in “uneven” cooperation between the private sector and government in the campaign against cyber attacks, the Wall Street Journal reported Tuesday.

Rogers told attendees at The Wall Street Journal CEO Council that approximately two-thirds of cyber hackers are criminal groups that seek financial gain through data theft while the rest are state-sponsored network threat actors, the Journal’s Alan Cullison wrote.

“My point is that cyber does not recognize these arbitrary lines that we have drawn — it doesn’t recognize the geography,” Rogers said.

“Network structures in the world wide web [are] not organized that way. Our adversaries don’t work that way,” he added.

Rogers, who is also chief of the Cyber Command, called on company executives to get involved in cybersecurity and urged U.S. firms to provide the government access to their networks in order to defend data infrastructure from cyber threats, the report said.