Arizona hires cybersecurity firm to manage risk across state government

All 133 state agencies will use New Mexico-based firm RiskSense to monitor their exposure to cyberattacks.

Arizona announced Monday that it will use a single cybersecurity firm to monitor and manage the risks to computer systems in all 133 state agencies. The company, RiskSense, is based in neighboring New Mexico and was chosen over other potential vendors in part because of its software that rates a network’s vulnerability to cyberattacks with a proprietary scoring metric modeled on personal-credit ratings.

“I can have productive business conversations with people who know little about IT and security,” Mike Lettman, Arizona’s chief information security officer, said in a press release.

The Arizona Department of Administration, which manages state-government functions, estimates it receives about 500 Trojan horse hacking attempts and 200 “brute force” attempts every day, plus about 35,000 malware attacks monthly. Arizona’s government owns about 100,000 IT assets.

The state’s election database has also been targeted in high-profile cyberattacks leading up to the 2016 presidential election. On Sunday, “60 Minutes” reported that Arizona was one of four states where elections systems were successfully penetrated by hackers working for the Russian government, though the Department of Homeland Security later told Reuters that the Arizona infiltration was the work of criminals instead of the Kremlin. (The other three states were Illinois, Tennessee and Florida.)


RiskSense says it’s already helped the state identify holes in its use of the Apache Struts web application framework, which has been exploited in several high-profile corporate hacking attacks, including last September’s Equifax breach, which released credit information on roughly 148 million people.

While Arizona says it was drawn to RiskSense’s “Security Score” platform because of its similarity to credit ratings, other state governments have developed their own scoring systems internally. Last month, California introduced its Cybersecurity Maturity Metrics, which rates state offices on scale of 0 to 4.

Lettman was not available for an interview. But Arizona has been moving rapidly on cybersecurity recently. In March, Gov. David Ducey formed the Arizona Cybersecurity Team, comprised of Lettman, Chief Information Officer Morgan Reed, and 20 other state and private-sector officials.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop, and leads its coverage cybersecurity issues affecting state and local governments. He has written extensively about cybercrime, ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts