IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Why Arizona Wants to Be 'Open' About Cybersecurity

Arizona CISO Tim Roemer shared his philosophy about motivational cyber awareness training, the importance of getting assertive with vendors and why state CISOs need to keep talking to each other.

Head-and-shoulders photo of Arizona CISO Tim Roemer
Government Technology/David Kidd
State cybersecurity is a community effort — and one that requires collaborating across states, partnering with local governments and training up the entire state workforce, according to Arizona CISO Tim Roemer.

As the state navigates the ever-evolving threat landscape, Roemer said he knows his team doesn’t have all the answers, but that keeping the conversation flowing is key.

“There's a lot of CISOs that don't want to ever talk publicly, because they think it makes them more of a target. Well, I know we're already all a target,” Roemer told Government Technology. “The more open we get with cybersecurity, the better we're going to come together, and we're going to start fixing this.”

Open communication is a theme he addressed at the National Association of State Chief Information Officers annual conference, as well, telling GovTech at the time that states need to be open when incidents impact them.

Roemer spoke with GovTech recently about his state’s cyber approach, including ongoing efforts to furnish local government with protections, more frequent and far-reaching employee trainings, and a more rigorous, assertive approach to working with vendors.

Rethinking vendor relationships is one low-hanging opportunity Roemer sees for the public sector. Governments are often tempted to sign three-year vendor contracts to secure better pricing but can then feel hamstrung by these lengthy deals should the solutions fail to deliver result.

That was the situation Roemer landed in when he became CISO in 2019. Third-party threat detection tools were failing to catch everything, and staff were spending considerable time troubleshooting.

Getting tough with vendors worked.

“We put some of our vendors on performance plans. We said, ‘Hey, we documented areas that needed to be improved,’ and we pointed back to the contract, and we said, ‘Hey, this is where you're supposed to be providing these services.’” Roemer recalled. “At the end of the day, in a pretty short period of time, we were able to jump out of certain relationships with vendors and jump into new partnerships.”

Now, Roemer advocates avoiding long-term agreements until agencies can thoroughly test the solutions. In some cases, Arizona has renewed vendor contracts for only one year, to allow the state to run proofs-of-concept with other vendors before committing.

As he considers his vendor portfolio, Roemer said working with multiple firms lets a CISO harness and combine each provider’s particular strengths, but that there’s a limit to how many partners are manageable. Each third party adds a new threat vector, a new solution on which to train staff and a new procurement project to manage. That’s when it may be valuable — and cost-efficient — to use an existing vendor for several different services.

“I’m okay having multiple vendors but I don't want 25 different vendors,” Roemer said. “... I’d rather cut that down to 10 or less.”

And when considering potential contracts, governments shouldn’t be afraid to negotiate and push for prices within their budgets.

“[With] some of the vendors, we said, ‘Hey, you can either get a one-year extension at our current rate, or you can kind of be done with us today,’" Roemer said. Asking for what you want “actually really helps.”

Tools and services are only pieces of the cyber puzzle, however. People — and their security practices — are another essential part.

Verizon’s 2021 annual Data Breach Investigations Report, for example, found more than 69 percent of government breaches stemming from social engineering. That makes it essential to nail the cyber awareness training approach.

Training must reach beyond the IT team to the entire state workforce, Roemer said. Empowered by a governor’s mandate, Arizona now conducts annual cybersecurity trainings and monthly phishing tests with all employees.

“Our agency employees started off clicking on about 14 percent of our phishing training emails, and now they're down to 4 percent,” Roemer said. “They're also flagging far more phishing emails that make it past filters for us.”

To reinforce cyber-secure behavior, Roemer said it’s important to recognize employees’ good actions, not just their mistakes.

“People who flagged real phishing emails for our SOCs [security operations center] teams, we rewarded them with Goldfish crackers and Swedish Fish candy,” Roemer said.

Arizona also advocates a whole-of-state cybersecurity approach — a message that must be backed up with action, Roemer said.

That’s meant using a state grant to provide local governments with free defense and prevention tools. Asking for a price match is too likely to price out the very entities that most need help, he said.

“Too many states are trying to do it as a match,” Roemer said. “… If you're willing to take the big step as the state to put money toward the issue and to help, you should just go that little extra step [and make it free], because they need it so badly.”

Arizona is also eyeing the federal government's new State and Local Cybersecurity Grant Program. The state expects $3.3 million this year and is currently establishing a planning committee to determine how best to spend it.

Roemer said the actual dollar amount isn’t that much, but he hopes states showing they can put the funds to good use might encourage the federal government to renew the grant program when it expires.

“It’s a good first step. But we need to make sure that Congress and others are paying attention to the fact that they're not going to solve it with $1 billion, one time,” Roemer said. “It's going to need to continue past the four years. It's up to states and locals to prove it works and to show how they can spend it.”

Profit-motivated ransomware remains among the most significant threats facing Arizona, Roemer said, although he’s increasingly concerned that Russia could turn its focus to U.S. government entities, critical infrastructure and private firms.

I think a lot of people are putting their guard down and thinking just because Russia hasn't done anything major on the cyber front since the war [against Ukraine] started, that they're not going to do that,” Roemer said. “That is completely the wrong thought process. They've been completely tied up with other areas — they've not met their military objectives. They’re more likely than ever to come after the United States.”

As Arizona faces the threats ahead, it’s tapping vendors for threat alerts and dark web scans and partnering with other states.

Attack techniques seen in one state are likely to soon be seen in another, and information sharing platforms can let governments alert each other with real-time automated warnings. These kinds of partnerships come with challenges — such as ensuring all parties actively share, and handling the flurry of necessary paperwork including memorandums of understanding, liability agreements and nondisclosure agreements. But the payoff is worth it.

“The more states and cities and counties that we can partner with — and share threat information in real time, automating the protection against those threats — is going to put us in a better position,” Roemer said.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.