As we’re exiting the pandemic and getting back to normal, what are the lessons you think will last?
I think prioritizing cybersecurity throughout the state is something that’s going to last. We’ve worked to get in front of our employees, virtually. We don’t want to just be white noise. They know we exist. Some state employees didn’t know we had a security operations center that was working to protect them. And then phishing training. Because of remote work and an increase in phishing attacks, we increased both the quantity and quality. So we raised the difficulty and started doing it monthly, and boy, that’s going to keep going.
Do you think you’ll still have more challenges with the complexities of remote work?
I worry about complacency. Cyber’s a lot more of a human challenge than it is a technology challenge, because humans are the ones making mistakes with technology. We’re blocking four times more risky websites visited by workers than we’d block when they’re at work. So we’ve worked really hard the last past year and a half to let our employees know they need to be more cautious. We’re starting to do some cool rewards. If you find a phishing link and you bring it to our SOC team, we’ll bring you some Goldfish crackers. So we have these things that are starting to work, but it’s not that economical to ship people individual packs of Goldfish, so we need to get even more creative in staying engaged with teleworkers.
Moving cybersecurity from IT into the homeland security department, why was that such an important change?
In the physical world, if someone was showing up to your place of work trying to break in, someone would take that case and prosecute that. Unfortunately, at the federal, state and local levels, the capabilities of law enforcement to do so [in cyber] aren’t really there. So the biggest thing for us was we get to roll underneath a homeland security department, use that to have more of a bully pulpit with law enforcement, to co-locate and sit with law enforcement at our state fusion center. That will put our cyber analysts and our SOC team to share information, work with law enforcement and partner with prosecutors. That will ultimately make the state of Arizona safer, and it sends a heck of a message to the criminals behind it.
What are the big cybersecurity risks government leaders should think about the most?
Getting the buy-in of your top level of government is priority No. 1. I’m lucky I have that from Gov. [Doug] Ducey, because he gets it, he understands it, he respects the threat that’s out there. But to be completely honest, I don’t hear that from other CISOs in other states, and I think that’s the biggest challenge facing them. When we talk among our CISOs, we’re trying to be sure every governor’s office prioritizes cybersecurity like Gov. Ducey does in Arizona, and I hear my private-sector colleagues as well. They’re trying to get their C-suites on board, and not just the customer service ease of use thing.