Maria Thompson, chief risk officer of North Carolina

June 21, 2021

This interview was conducted May 28, prior to Maria Thompson’s announcement that she’d be stepping down from the North Carolina Department of Information Technology. She is now a state and local government cybersecurity leader at Amazon Web Services.

What are the lessons from the pandemic you think will stick?

I think what we’ve come to understand is that we don’t necessarily have to work on site. We can have a hybrid workforce and still produce quality output. From a risk-management perspective, tightly ingraining cyber into all the projects will be key. I know in some cases during the pandemic there was a rush to deploy capabilities and cyber may not have been thought of as a primary solution to be integrated, but we’re all circling back to do cleanup. We all know cyber is not a one-and-done. Supply chain risk has been huge for us, especially during the pandemic.

What are the security issues leaders should think about the most?

We talk about the Colonial Pipeline and SolarWinds and all these supply chains, and that’s increasing. And leaders in general, not just cyber leaders, should think about how we are approaching our supply-chain risk posture. Those incidents were calls to action. It almost appears we have folks out there who are hitting the snooze button. And then it happens again. We really need to start investing in solutions, in people, in processes to ensure the security of our environment. It’s not just buying tools, it’s investing in people, in their knowledge and ability that they are prepared.

You’ve made growing the cybersecurity workforce, especially in ways government leaders haven’t always thought about, a big part of your job.

It’s all about partnerships, and at every engagement I’ve been in, I’ve always brought it up. I sit on multiple school advisory boards. One of the primary reasons I do that is to build those relationships, to figure out how I can be a part of curriculum development. And look how we can bring some of those students to the state, and see what we have to offer and build that interest. We’ve had students tour the data center. We have partnered with companies like SANS, and we’ve been part of CyberStart. Wherever there are opportunities, we have been involved. I’m part of the #IAmCS movement, which is a group of ladies across the public and private sectors who are in STEM roles.