Trying to protect a state where agencies maintain significant autonomy can make it difficult to maintain consistent security practices, state CIO Daniel Urquhart and Chief Information Security Officer Chad Smith said Nov. 13 during a conversation at the Alabama Digital Government Summit.* The session was moderated by Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University in Auburn, Ala.
Urquhart spoke candidly about the challenges Alabama faces, and said, “We have a lot of autonomy at the agencies. They build and buy their own platforms and manage infrastructure, which is kind of scary from a cybersecurity perspective.”
That push for standardization turned from an aspirational plan into an urgent priority when a major cyber incident hit. The experience, Urquhart said during the discussion, made clear why Alabama couldn’t afford to use a patchwork of cybersecurity tools as it had done in the past.
For Smith, that lesson came early. Just two months into his tenure as CISO, a late-night phone call made clear how quickly theory can turn into crisis. His team was alerted to a potential security breach by a federal partner.
“It was 7:45 p.m. that night,” he said. “I looked down at my phone, and it was a [federal Cybersecurity and Infrastructure Security Agency] CISA rep. And I thought, ‘Why is she calling?’ And then the reality hits you before you even answer, and you’re like, ‘I know why she’s calling. This is not going to be a fun phone call.’” In the video below, the two officials talk about what happened.
From that point, everything accelerated. Smith and his team worked nearly nonstop to regain control of the situation, putting in 95 hours in just one week as they pushed to gain control.
The governor’s office and his broader chain of command were understandably concerned when the incident surfaced, Urquhart said. Any time there is any kind of security breach, the state CIO said, you have “citizen information” and you have “basic trust in government” that can be adversely affected.
One initial hurdle was the lack of consistent tools across agencies. As Urquhart put it, “We didn’t have consistent tool sets deployed. So you have to spend a couple of days pushing out tools just to get the telemetry to figure out kind of what happened and work your way backwards into the event.”
Despite the chaos, Smith said no citizen information was compromised — but the state came far closer to a serious outcome than many realized. As he put it, “We were probably within four days of seeing something very tragic happen within the state.”
That near-miss, both leaders said, showed just how crucial Alabama’s partnerships have become. Urquhart pointed out that much of the state’s early threat awareness comes from federal intelligence, noting that “most of the major incidents that we’ve been alerted to came from CISA, so that’s a very valuable partnership and it’s very helpful to the state.”
The state CISO took the point even further, emphasizing that ultimately, the state’s cybersecurity posture relies on a broad network of collaborators.
“Cybersecurity is a team sport. It’s not just one person,” he said. “Those types of partnerships can make us stronger as a state.”
Smith also highlighted a recent shift in how the state prepares for future incidents, by transitioning to an immersive virtual training format where scenarios unfolded in real time onscreen. This approach, he said, pulls participants into the discussion more naturally and creates space for frank conversations about the challenges the state is still grappling with.
That need for deeper readiness extends beyond training, which is why both Urquhart and Smith said Alabama is preparing for a world in which attackers increasingly use AI-driven tools. The future of cyber threats, Smith warned, will be something new to states.
“It is going to be so broad and so unlike anything that we’ve seen today. We’re preparing for that,” he said. “We’re looking at how we can automate our platforms and interconnect them so that we don’t become so human-dependent.”
Urquhart agreed that the state must evolve quickly, but he emphasized that the foundation of Alabama’s strategy is still partnership.
“We’re all in this together. We need reliable partners that are willing to help us and kind of bend the business as things change. Because situations don’t stay stagnant in this field,” he said.
The incident may have been a wake-up call, but the officials said it provided clarity. Threats are speeding up, the stakes are rising, and the only way forward, they said, is a more coordinated, connected approach — one that spans the entire state.
* The Alabama Digital Government Summit is hosted by Government Technology.
