Best Practices from Maria Thompson, an Exceptional Cyber Leader

Maria Thompson’s last day as North Carolina’s chief risk officer was June 4, 2021. In this interview, she shares her team’s cyber journey, along with helpful insights for others to benefit from.  

The North Carolina Capitol building.
The North Carolina Capitol building.
Maria Thompson
Maria Thompson has led North Carolina government’s cybersecurity organization for the past six and a half years, and it has been quite an amazing run. Back in 2015, I interviewed Maria, along with the N.C. state CIO at that time, Chris Estes. They shared their visions, and an ambitious state government technology road map.

Now, as Ms. Thompson moves to the private sector, she leaves behind a long list of accomplishments and awards, but more important, she has built a cybersecurity program that offers a national model for others to emulate. In my experience, Maria’s passion for excellence and genuine results are rarely matched in government, and her humor and positive approach only amplify her strong cyber knowledge and many skills — learned from years in military leadership.

Maria is a team player who has built many partnerships, and these relationships have yielded great results. I always enjoy working with Maria on projects, and hear the same from others all over the country. Here is an example of a speech that Maria gave:
I am writing this blog to highlight Maria’s great example for CISOs, CxOs and other government technology leaders to follow, and to recognize the pragmatic results that her team has developed in North Carolina.         

Maria Thompson
Interview Between Maria Thompson and Dan Lohrmann

Dan Lohrmann (DL): You’ve been in North Carolina government since January 2015. What are some of your best memories?

Maria Thompson (MT): Some of my best memories include moments when I was engaged in a group setting with state, local and federal partners, and we were collaborating on ways to make our state’s infrastructure more secure. I recall how fascinating and motivating those times were to see and learn about the various capabilities that each partner brought … seeing the various pieces to the cyber puzzle come together to address our weaknesses. My first introduction to this was within my first 6 months on the job. I had the great fortune to attend a cyber summit facilitated by the National Governor’s Association. It was a true introduction into the who’s who within the state and what capabilities they had. Without this external view, I could see how easy it would have been to only focus on state agencies and not look and think broadly about true statewide issues. I would highly recommend anyone stepping into a state CISO role to attend a similar meeting where you can pull in various potential partners to better understand strengths, weaknesses, opportunities and threats across your cyber ecosystem.

DL: What people/process/technology changes are most striking over the past decade? 

MT: I am not sure if striking is the word I would use, but I found it very interesting to watch and, in some cases, participate in the cyber/technology pendulum swings. By that, I mean the cycles that repeat themselves every so often. If you have been in the game for some time, you may recall the move to outsource IT years ago, then to consolidate IT, or a better word may be “managed” vs. “unmanaged.” For cyber professionals, we swing from edge security to endpoint and now many of us are in this hybrid state as we scramble to understand zero-trust implications. From my cyber angle, a major constraint in the past that influenced these decisions was based on a lack of resources and skills. This deficiency has not changed — in fact, if anything it has become more of a critical need. We historically chase new technologies that offer promise, but we rarely address the core issue. We need funding for managed, but we also need funding for outsourcing. Having managed solutions does not absolve you of the need for resources in-house. What is the total cost of ownership? As a state CISO, sometimes we are fortunate enough to receive funding for a security control mechanism, but rarely the staff to ensure efficient long-term support. This leaves a delta which we see in state and local government that results in cyber incidents where there are alerts, but no one is available to conduct incident triage.

DL: You have a long list of awards and accomplishments. What has been the secret of your success?

MT: I do not look at awards as a representation of success. For me, it has always been receiving feedback, whether positive or negative, from those who I serve. I have always taken great pride in my team’s efforts to support and secure the state’s infrastructure. Any award I have been presented is largely due to the dedication, motivation and passion my team brings to the cyber fight. It is well known that in order to succeed in cyber war, it takes collaboration and unity of effort. I want to thank my internal team within the Enterprise Security and Risk Management Office (ESRMO) once again for all they do on a daily basis to bring their “A” game. I would also like to thank those members of my external and extended team, including partners both at the federal and state levels, who have and continue to do great things for the state, always putting public service first.

DL: In your chief risk officer role in North Carolina, how has cybersecurity grown in significance?

MT: As the cyber landscape changed and the cyber attacks increased in intensity, we have had to adapt our tactics, techniques and procedures (TTPs). We have had to remain flexible and agile to get us closer to the level of cyber maturity that embraces proactive approaches to combat emerging threats. Today, globally, we have critical infrastructure being impacted almost daily. The word “cyber attack” is being imprinted in the lexicon of our households. We can no longer continue to hit the reset button after an attack has lost its impact. Collectively, we have to keep our guards up, and by “we,” I mean every citizen of North Carolina. These attacks will continue if we do not educate those that need it, augment those that need to defend against it and support those that are impacted by it. It has been said and is very true today that cyber is a team effort. You are either part of the team or not.

DL: As you built your team, there were obviously staff members coming and going. You also worked for different leaders. How did you approach those relationship changes?

MT: Luckily, during my time with the state, I did not see many direct staff changes occur, but when we did, we took the approach that no one is indispensable. That means that we have to be ready to step in and step up when the need arises. State leadership is a different manner in that I have seen my fair share. I will say, however, that cyber has always been a well-supported program. My leadership both past and present, being technologists, understood the impacts should cyber not be elevated and addressed. Unfortunately, recurring funding remains a constant challenge, and this is something, sadly, a majority of my peers in state and local government struggle with. We have had to learn to do more with less. This is something I hope to see change in the future. CISOs need to continue to be that evangelist to educate our leaders on the need to prioritize and fund cyber initiatives.

DL: You built great relationships with other CIOs, CISOs and tech leaders around the country (at the local, state and federal levels). How did that develop and what (formal and informal) methods worked best? 

MT: Those who know me best know that I like to take more of an informal approach to most engagements that I undertake as a first effort. I found that entering into a situation with what we would term in the military as “wearing your rank” can effectively have the opposite effect. In your question to me, you used one particular word that resonates above all, i.e. “relationships.” In my six years with the state, forming and maintaining relationships has been key to getting things done faster than some more formal paths. Don’t get me wrong, there is always a need for formality. It brings structure and ensures a specific outcome every time. But when it comes to cyber, and the need to reach across county, agency and federal lines, relationships and partnerships open the door faster than trying to kick it down. I encourage my peers to develop and tighten those relationships with your National Guard cyber resources, federal partners, academic institutions, local government IT managers … those people who bring unique insights into the threat landscape, who can bring resources to bear when you get that call late in the night. I have been fortunate to call many of these team members friends and allies. Together we formed a united front that has been very beneficial in our statewide cyber incidents.

DL: I know it is dangerous to name just a few, but are there any people or organizations in particular that you want to mention that helped guide your journey?

MT: You are correct. This is dangerous waters. What I would say is, I have been truly honored with the opportunity to work for and with highly skilled professionals, who embody many of the leadership traits and principles I admire. I have worked with state executive leadership who are consummate professionals that understand cyber and the need to integrate it within impactful statewide workgroups such as the Emergency Response Commission. I have worked with local government IT/cyber professionals who dedicate their personal time to support multiple cyber missions and projects across the state. I have worked with my brothers in arms, the National Guard Cyber Response Force, who have been true citizen soldiers on the ready to support any and all cyber incidents. This team has been lock step with me in establishing a solid footprint for the whole-of-state approach to cyber. I have partnered with academic institutions that are looking to assist the state to close the cyber pipeline issue we are facing. Then there is my team at the state, both those that work directly for me and those that support the infrastructure for state agencies. These teams have been patient and supportive as we made changes over the last few years to integrate cyber into everything from DevOps to Decommission. I said it before and I will continue to stress that cyber is, above all, a team effort. These groups I have listed at a high level should all be commended in their efforts to ensure the privacy and security of the citizens' data and critical infrastructure.  

DL: What was your approach to partnering with vendors and other organizations in the private sector?

MT: Bottom line, we cannot do this … and by “this” I mean continue to fight cyber battles without support from our vendor partners. My approach with the vendor community is to develop relationships built on transparency and trust. This is especially more important as we continue to see and experience supply chain incidents. Our partners are also a listening post that can provide cyber intelligence and should be incorporated into information-sharing opportunities. Information sharing is key to being able to identify and mitigate threats in a timely manner. This is one of the reasons why HB 217 encouraged private-sector support and participation. We need to share faster and more often. Quite frankly, we cannot continue not to.   

DL: What are you most proud of during your time as chief risk officer in North Carolina?

MT: If I had to choose one thing, it would be how we have increased cyber awareness and, in some cases, cyber maturity statewide.

DL: What are the biggest challenges that you see government CISOs facing over the next decade? Any advice to share with incoming CISOs in government?

MT: Four words: supply chain risk management. Why? Because in many cases this is an area that, as cyber professionals, where we do not have control or visibility. CISOs need to get to a place where we can verify security controls, not just rely on contractual obligations. Vendor partners need to be more transparent and take a more active position in identifying risks to their supply chain. This is not an easy task. State CISOs need to continue to collaborate and participate in discussions around supply chain risks. Educate ourselves and others on the growing threats. We all need to collectively get in the game and collaborate with state, federal and private-sector partners to develop ideas and methods to reduce these risks. Collaborate, make actionable decisions, learn from each other and manage risks down.

Dan Lohrmann: I want to thank Maria for taking the time to answer my questions. I wish you the best of success in your career.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
Special Projects
Sponsored Articles