State

Arizona CISO to lead state’s homeland security agency

Tim Roemer will maintain his role as state CISO, making Arizona one of the few states to place cybersecurity under a homeland security agency rather than its IT organization.

By Benjamin Freed

April 7, 2021

(Robert Alexander / Getty Images)

Tim Roemer, Arizona’s chief information security officer since August 2019, will lead the state’s Department of Homeland Security, Gov. Doug Ducey said Tuesday. Roemer, whose appointment became effective immediately, will continue in his CISO duties as part of a broader rearrangement of Arizona’s cybersecurity governance.

Ducey said that in addition to its existing portfolio of anti-terrorism, critical infrastructure protection and border security, the Arizona Department of Homeland Security will absorb state government cybersecurity as Roemer takes over.

Tim Roemer (Arizona Strategic Enterprise Technology Office)

“Cybersecurity is homeland security — that’s why I’m looking forward to moving Arizona’s critical cyber mission to the Department of Homeland Security,” Ducey said in a press release.

Previously, Arizona’s CISO office had been part of the Arizona Strategic Enterprise Technology Office, the state’s IT agency, under the Arizona Department of Administration. In moving Roemer out of the tech agency, Arizona joins New Jersey as one of the few states where cybersecurity is overseen by a homeland security or emergency management agency, the National Association of State Chief Information Officers told StateScoop.

New Jersey CISO Michael Geraghty reports to his state’s homeland security office and runs the state’s Cybersecurity and Communications Integration Cell alongside Jared Maples, New Jersey’s director of homeland security and preparedness.

In an interview Wednesday afternoon, Roemer said he believes his new appointment could set a trend in state governments as cybersecurity is increasingly recognized as more than just a technology concern.

“Directors of homeland security come and go, Cabinets come and go, what’s significant is that it’s a bold step to prioritize cybersecurity as a homeland security function,” he said. “I wouldn’t be surprised if it becomes more common because of everything our state and our country is faced with.”

Roemer rattled off a number of cyberthreats facing Arizona, including nation-state actors targeting the health sector and intellectual property assets at the state’s universities, “hacktivists” who go after law-enforcement agencies with defacement and denial-of-service attacks and, most pressingly, ransomware, which he called a “day-in, day-out” issue.

But Roemer said his being in charge of the Arizona Department of Homeland Security gives him greater abilities to partner with law enforcement and other partners from the state’s fusion center in Phoenix.

Roemer also said he plans to hire two deputy directors to balance the department’s traditional portfolio with its new cybersecurity mission: one who will also serve as a deputy CISO, and another who’ll manage current functions like border security and grant administration.

“If I’m at the Super Bowl” — Arizona is scheduled to host the big game in 2023 — “or on the border, we’ve got to make sure we’ve got someone here in Phoenix who’s able to take on the duties of the CISO role,” he said. “From a government efficiency perspective, we can do this at no additional cost to the state.”

Roemer, a former analyst for the CIA, was named Arizona’s CISO in August 2019 after several years in Ducey’s administration, including three as the governor’s public safety adviser. His first job in state government was as deputy director of the state homeland security agency.

In its own press release, the Department of Administration credited Roemer’s work, especially through the COVID-19 pandemic.

“Tim has been a welcome addition to the ADOA team to lead and protect the state during what would turn out to be an unprecedented challenging time,” the statement read. “Many systems were taxed beyond capacity and more bad actors used this time to increase cyberattacks. The cybersecurity team was resilient and unrelenting in their focus to protect the State during these increased attacks. Their resolve and efforts kept the State of Arizona systems and data safe.”

In the interview, Roemer said efforts to raise the importance of cybersecurity in state government began not long after he took the CISO job. While he initially reported to state Chief Information Officer J.R. Sloan, Roemer said the Department of Administration’s director, Andy Tobin, “pulled me out” and made him a deputy director on equal footing as the CIO.

“That was the first bold step,” Roemer said. “This takes that several steps further.”

The formal transfer of cybersecurity operations to the Arizona Department of Homeland Security will take place when the state’s new fiscal year begins on July 1. In the interim, Roemer will work with state Chief Information Officer J.R. Sloan “to ensure not only a smooth transition, but a continued collaborative working relationship between the two agencies,” officials said.