Phil Bates

In 2017, the Department of Justice published a study about the Utah Cyber Crimes Unit to share the successful approach with other states. Chief Information Security Officer Phil Bates helped establish that task force in 2012, while IT director for the state Department of Public Safety (DPS). Organizations had been getting hit by doxing and other attacks and had no clear law enforcement entity to which they could report the incidents. At the time, the FBI only got involved if cyber incidents caused roughly $50 million or more in damages, Bates told Government Technology. He helped DPS pull together a collaboration between state police, the state fusion center and the FBI to fill that gap.

This focus on collaboration served Bates again in 2016, when Utah launched its state Cyber Center. Members of the Security Operations Center and fusion center housed at the Cyber Center communicate on cyber investigations and share real-time cybersecurity alerts with federal and local partners.

As they adopt technologies, CISOs need to keep the users in mind and not overload them with tools. For example, Bates said his team learned that an analyst can absorb information from only about five to seven feeds — anything else is overkill. To keep momentum, CISOs also should make choices with five-year plans in mind, Bates said. Fixating too much on short-term wins instead leaves CISOs forced to step back and “refactor and move into something else” once the particular project is over.

Bates’ next five-year goal calls for helping all Utah’s localities reach a cybersecurity baseline, something that forthcoming federal funding should make possible.

Serving as Utah CISO since 2015, Bates has worked under three CIOs and two governors. One secret to success? Understanding the different priorities and backgrounds of each new leadership team and adjusting security goals and communication approaches to click with them. A CIO with a background in security will be interested in — and able to parse — different metrics than a CIO with a different background, Bates said. Failing to meet them where they’re at risks losing their attention.