Arizona CISO Mike Lettman on Top Security Issues for State IT

Mike Lettman has spent six years leading cybersecurity efforts in Arizona and serves as the state’s chief information security officer (CISO). A recognized information technology leader with more than 28 years in state government, Lettman previously served as CISO of Wisconsin, as well as chief technical officer for Wisconsin’s Department of Justice.

1. How has security evolved and become top-of-mind for not only IT officials, but also other agencies and even the public?

Cybersecurity affects everyone at all levels of government — all of the agencies and everything we do. Years ago when we started down this road, we were concerned solely about data. And then as we started to expose our data to the Internet, and then build systems that were exposed to the Internet, suddenly we had to worry about people attacking our data and our systems, and exfiltrating our data. CISOs today find themselves involved in all parts of the organization, the most recent being elections and the alleged security attacks against the election systems. So the role has evolved over the years, and I think all states and all governors are concerned about cyberthreats.

2. Arizona reportedly receives about 8.5 million cyberattacks a month. Is this similar to what other states experience?

I’d say it’s par for the course. I have regular contact with my counterparts in state government throughout the rest of the nation, and we’re all seeing similar numbers. Events can change this. It’s literally in the millions. It’s people constantly trying to manipulate or find vulnerabilities in your systems to find a way to get in.

3. What are the top concerns among cybersecurity officials?

Most CISOs would say there are three main concerns: No. 1, the lack of qualified cyber-security professionals to fill all the jobs that we need across the country. Second, the advancement of attacks is also a huge concern. I like to say, I know what we know and don’t know what we don’t know. And when something new comes along, sometimes it takes time for people to analyze that and figure out, what is it trying to do? Is it truly an attack? Is it some other way of social engineering? What’s really going on?

And No. 3 for most CISOs is the end users and protecting our data. End users are the easiest spot to attack our systems and our states, and to try to social engineer our employees and get them to open documents and things like that. That’s the easiest way in. It only takes one employee to click on a link in an email to download a malicious piece of software, and then compromise that PC, and then the bad guy has access to everything the employee has access to.

4. What are some new approaches to data security that can make state government more resilient?

What we’ve been working on is, how do we get proactive? How do we make security automatic? In other words, if there’s a way we can discover an attack before it’s happening, or at least before it’s predominantly happening, and if we can automatically update our systems to protect us, that’s our ultimate goal. That’s easier said than done, and cooler to talk about than actually see happen.

We also share as much attack information and intel as we can with our other key partners in the federal government, local county government and private sector, where possible. And the more sharing we do together, the more we can see; if they’re attacking the private sector today, they may be attacking us tomorrow. The more intel sharing we do, the more proactive we can become to stop these attacks. If they’re attacking Virginia today, they might move on to Arizona tomorrow.