Washington state CISO announces retirement from government
Ralph Johnson, who has spent the last three-and-a-half years as Washington state’s chief information security officer, announced in a LinkedIn post on Friday that he’ll step down from his role in September.
Johnson joined Washington Technology Solutions, the state’s information technology bureau, at the end of 2022, after a short time heading cybersecurity operations at NantMedia Holdings, a media and publishing company that counts among its publications the Los Angeles Times and The San Diego Union-Tribune. He also spent three-and-a-half years, ending in 2021, as CISO of Los Angeles County, and nearly 18 years in King County, Washington, which contains Seattle, where he ended his time as the county’s CISO and privacy officer.
In his post, Johnson called his time with the state a “privilege” and remarked upon his “outstanding colleagues” before commenting on the work: “Cybersecurity has never been just a job for me. It has been a mission, a responsibility, and a professional community that I care deeply about. The work we do to protect systems, data, public services, and the people who depend on them matters.”
Johnson said he’ll stay involved in cybersecurity, providing “advisory services to public-sector and regulated organizations.” Much of Johnson’s career has been oriented around notions of service, facilitated not only through roles in government, but teaching. He spent seven years as an instructor at the University of Washington’s Information School, teaching a capstone course in information security and risk management, and he spent nearly two years as an adjunct instructor at ITT Technical Institute, the private, for-profit chain of schools that closed in 2016.
In May, as a guest on a podcast hosted by Washington state’s chief information officer, Bill Kehoe, Johnson ran down his main responsibilities. (Kehoe had, in his characteristically dry manner, asked Johnson to describe his job for the podcast’s “millions of viewers.”) These included setting statewide security standards, running a security operations center, monitoring network traffic, looking for cybersecurity threats and heading the state’s cybersecurity incident response team. “We manage risk,” Johnson concluded.
When asked to compare his role with the state with other jobs he’d held, Johnson noted that “as a state CISO you have a much larger breadth of responsibility” and that changes to security controls were typically facilitated through navigating relationships with other agencies, as opposed to fiat, as they might be in the private sector or in smaller counties. “In a lot of ways, if I said we needed to make a change in a security control, we simply made the change,” Johnson said of a past job in the private sector. “I didn’t have to justify it to too many people.”
Johnson said the biggest challenges facing state and local cybersecurity operations today include government’s difficulty in competing with the private sector for staff and the diminished support from the federal government. State governments are trying to step up and help their local governments, often without additional funding, he said, but they sometimes run into barriers. Johnson said vendors have sometimes prohibited him from sharing their proprietary threat intelligence with the state’s local governments.
Artificial intelligence, meanwhile, has “allowed attackers to do what they do even better,” he observed. “It’s lowered the bar to entry for attackers,” and made it harder to detect phishing emails, which were once riddled with spelling and grammar errors. But, he said, AI is helping state governments, too: “Our telemetry input is so vast, we need AI, we need automated analysis tools to look at all that telemetry and give us information and help us dissect it and triage our issues and eliminate the noise.”