Former Arizona CISO joins cyber training firm
Tim Roemer, who stepped down earlier this month as Arizona’s chief information security officer and homeland security director, recently joined the cybersecurity education and training company ThriveDX as president and general manager of its public-sector division.
In an interview with StateScoop, Roemer said he’ll be working with government organizations to develop cybersecurity training programs ranging from anti-phishing drills to skills development courses.
“Everyone who works in cyber tells me that the biggest thing holding us back is having enough of a talented workforce,” he said. “We need to raise the bar of our human firewall. We need to create a culture of cyber in every organization.”
‘From 16 to 36,000’
Roemer, a longtime adviser to former Arizona Gov. Doug Ducey, was named CISO in 2019, and in early 2021 he was given the additional role of director of the state Department of Homeland Security when cybersecurity was folded into that agency. Ducey, a term-limited Republican, was succeeded Jan. 5 by Democratic Gov. Katie Hobbs. Before joining Ducey’s administration, Roemer worked as a CIA analyst and watch officer in the White House Situation Room.
Roemer said Thursday that one of the most effective ways for government organizations to better defend themselves is by stepping up routine cybersecurity training exercises. He said that shortly after his appointment as CISO, he mandated training for all 36,000 state employees and increased the frequency of phishing tests from yearly to monthly.
“I grew my cyber team from 16 to 36,ooo because we got them informed to know what to look out for,” he said.
But, Roemer said, he was sometimes frustrated by the quality of training products available. He said that at ThriveDX, he’d like to develop programs that are customizable to fit different public-sector entities and that hew more closely to the interests of the officials overseeing the training, like a CISO or chief information officer.
“Candidly, I haven’t been that satisfied with training companies in the past,” he said.
Headquartered in Miami, ThriveDX was founded in 2006 by veterans of the Israel Defense Forces elite cyber team, Unit 8200, which has spawned numerous other cyber and IT firms worldwide.
“I’m confident that Tim’s extensive skills and expertise from some of the most prestigious organizations in the nation will play an instrumental role in helping us close the critical skills gap in the cybersecurity workforce,” ThriveDX’s co-founder and executive chairman, Dan Vigdor, said in a press release.
‘Robbing Peter to pay Paul’
Roemer told StateScoop he’d like to help other states follow the “Arizona model,” which he described as a strategy that builds up cybersecurity across the enterprise, from expanding a centralized operations center to increasing funding for state and local efforts. Arizona’s budget last year included $10 million for local cyber grants — about three times what the state will receive from in the first year of the federal government’s new grant program — and without any requirement that recipients put up matching funds, Roemer said.
“I’m not saying we had all the answers, but we worked on a whole-of-state approach,” he said.
But Roemer also said the challenge for government is finding enough people to be cybersecurity practitioners. He said that when he was filling out his own team in the state CISO’s office and Homeland Security Department, he would often hire them away from other agencies or local governments.
“I’d have to steal from the National Guard, the Department of Corrections, Department of Revenue, City of Phoenix,” he said. “And the private sector steals from me. In the cybersecurity industry, we are robbing Peter to pay Paul. The problem is we continue to fail at developing a cyber workforce capable of filling vacant jobs.”
In addition to its workplace training programs, ThriveDX runs bootcamps in several fields at universities around the world. Roemer said he’s hoping to find at least one academic partner in every state, with an eye on creating a more diverse cyber workforce.
“Cyber lacks diversity more than maybe every industry, and I mean every kind of diversity,” he said. “We know no matter what issue you’re trying to solve, you bring in different perspectives, diversity is going to help you be more productive.”
He said ThriveDX’s partnerships to achieve that could include historically Black colleges and universities, organizations like Girls Who Code and job-placement programs for veterans leaving the military.
“Government can fund these programs and we can provide the training,” Roemer said. “Something needs to be done, we just need more organization at the government level.”