Deborah Blyth, who’s been Colorado’s chief information security officer since 2014, will leave state government next month to join the cybersecurity firm CrowdStrike.
In a phone interview, Blyth called her time at the Colorado Office of Information Technology a rewarding experience in which it was “fun learning about the services state provides to residents.”
“Before I started I didn’t know anything about state government,” she said. “Even during COVID, it was very interesting to see to what degree our state offices are so involved in keeping the public healthy and safe and keeping services running.”
Blyth joined the state government after working as an IT and cybersecurity engineer and manager for several private-sector firms around Colorado. During that time, she recalled, she frequently pushed state lawmakers and other leaders to increase funding for security efforts. She said she was mostly successful in growing the cybersecurity budget.
The biggest increase, Blyth said, came in the year following a 2018 ransomware attack that disabled numerous back-end systems in the Colorado Department of Transportation, costing the state more than $1.5 million to rebuild. But in that incident, which was later attributed to a pair of Iranian nationals, Blyth also helped lead a response that since became a template for state and local governments dealing with ransomware. This was after Colorado became the first state to declare a statewide emergency over a cyberattack, unleashing a slew of resources and strategies ordinarily reserved for natural disasters or terrorist attacks — a playbook that’s since been repeated by other states, including Louisiana and Texas, as they fell victim to similar attacks.
“The next year when I went to the legislature, it was our biggest budget request ever,” Blyth said Thursday. “Normally I’d get a portion. I got the whole thing.”
Colorado now allocates about 5% of its total IT budget to cybersecurity. By comparison, a biennial survey of state CISOs found that states on average only spend 1-2% of their tech funding on cyber.
But she also said the CDOT ransomware response — one that began with her personally going on pizza runs to refuel sleepless IT engineers — also strengthened her office’s culture and made her a resource for her counterparts in other states.
“There’s nothing like a big cybersecurity incident to do a few things in your organization. One is bond you as a team,” she said. “Tons of states and local governments still reach out to me to talk through that information to help tell the story that helps them be successful. I’m glad my suffering was not in vain.”
And over the past 18 months, Blyth, like most of her fellow state CISOs, has focused on securing a state workforce that’s gone mostly remote. But she said the pandemic revealed the character of her team members and the agencies they support.
“One thing we have in common is our purpose and mission,” she said. “We’re all here because we want to make a difference. There was so much to stand up the infrastructure, going remote, supporting the agencies extremely involved in pandemic response. State employees, we are wholly invested and will work and work until the job is done.”
Officials said Blyth will leave state government Aug. 13, after which William Chumley, OIT’s chief customer officer, will serve as interim CISO. (The state is recruiting for a full-time replacement.)
At CrowdStrike, Blyth will be an executive strategist focusing on state, local, tribal and territorial governments, a role she said will keep her connected to the public-sector CISO community, which she said she hopes share lessons from her time with the Colorado government.
“When I write a business justification and speak with state leadership or the legislature, I have been very successful in getting the requests filled,” she said. “Now I can help other states, local governments that haven’t been well supported. What always helps is if you can tell a story about a cyber event that caused impact and damage and what types of controls could’ve prevented that. It also helps when you’re trying to pitch to whoever the budget signers might be: here is an example of what goes wrong if the controls aren’t fully implemented or program not fully funded.”
Blyth also said working in state government created relationships with peers that didn’t exist for her in the private sector, crediting the National Association of State Chief Information Officers with fostering a “CISO community.”
“We are all facing the exact same challenge,” she said. “It’s awesome to interact and know each other.”
And while the CrowdStrike job will keep her on the CISO circuit, Blyth said she won’t be relocating from the state where her family moved when she was three months old.
“I’m never, ever going to leave Colorado,” she said.