Advice from Arizona’s CISO on Bringing a Whole-of-State Strategy to Life

Tim Roemer knows what he’s talking about.

As Arizona’s CISO and Director of the state’s Department of Homeland Security — he must defend Arizona against a wide range of cyberattacks — including complex, well-funded attacks from nations like Russia and China.

To do so, he’s implemented a whole-of-state strategy to cybersecurity.

In this piece, we’ll dig into the details of how Roemer has successfully brought this strategy to life, and the real-world ways that it’s made the state of Arizona safer.

Bringing whole-of-state cybersecurity to Arizona

This is part 2 of a two-part series.

In part 1, we detailed how Roemer has implemented a whole-of-state approach to cybersecurity in the state of Arizona. In this approach, state and local leaders “buddy up, come together, and start sharing resources, information, and best practices” to beat the bad guys together.

Roemer’s approach is working. Cybersecurity leaders at every level of Arizona’s government share real-time information. Roemer has a clear picture of what’s happening at the local level, local leaders are protecting themselves from state-level threats, and communication, collaboration, and comradery have all improved.

“When everyone knows your strategy — and you communicate it effectively — they come to the table very quickly, and we build good partnerships that keep us safer,” Roemer explains.

To learn more about how Roemer has implemented whole-of-state in Arizona, read part 1 here.

To dig into more details of Roemer’s approach and Arizona’s strategy, read below.

How a Cyber Command Center drives a whole-of-state strategy

Whole-of-state doesn’t just happen.

It requires a coordinated effort to connect, train, and centralize cybersecurity resources across multiple departments, roles, and levels of government.

To make this a reality, Roemer went beyond email chains and web portals. He built a physical Cyber Command Center to be the hub for all cybersecurity efforts in Arizona.

“The Cyber Command Center is located within our state Fusion Center, which is the Arizona Counter Terrorism Information Center (ACTIC),” Roemer explains. “This gives us a one-of-a-kind cyber capability that no other state has at this level.”

As Roemer explains, the Cyber Command Center serves multiple purposes and has improved multiple elements of Arizona’s cybersecurity efforts. It has:

• Improved incident response capabilities. “It gives us the ability to be under one roof with our National Guard response partners and our Department of Public Safety, and it’s increased our ability to collaborate with law enforcement and to share information with locals. This gives us surge capacity during cyber incidents and has been great for response from an operational perspective.”
• Created a home for cybersecurity training. “Real-world scenarios are coming at us quickly, and we have to stay ahead with proper training of our cybersecurity leaders and practitioners at every level of government. We now have a single, central, and effective training facility for all things cybersecurity, and we just didn’t have anything like it before.”
• Made a statement. “Symbolically, it shows everybody from around the state that when Arizona Governor Ducey said ‘Cybersecurity is Homeland Security,’ he meant it. We put our money where our mouth is. It helps us build trust with our local partners because they see us practicing what we’re preaching, and then they want to be part of these programs.”

Arizona’s new Cyber Command Center offers a tangible example of how a whole-of-state strategy can be brought to life, and solve significant cybersecurity challenges.

Three pieces of practical advice from Arizona’s program

In addition to building a physical Cyber Command Center, Roemer offers a handful of practical tips for other states implementing a whole-of-state cybersecurity strategy.

First, build support at the top.

“Start with a good relationship with your governor’s office,” Roemer says. “Make sure they know the needs of your cybersecurity teams within the state, and then make sure you effectively communicate what those needs are to your legislature.”

Second, secure the funding.

“Talk is cheap. You need to drive this with funding,” Roemer says. “A lot of people go around and talk cyber, but at the end of the day, you need resources to do it. We traveled the state early on and we did great threat briefings to get financial support.”

Finally, listen before you speak.

“What would I say to any state going down this path? We listen first,” Roemer shares.

Roemer’s early days traveling the state and speaking with local leaders defined what direction the whole-of-state program needed to take to help everyone at every level.

“A lot of local governments said, ‘Great job! You really scared my mayor, now he thinks cybersecurity is a big issue, but we still don’t have any funding to be able to help us’,” Roemer says. “And they were also asking us ‘What tools are you using? Can you help me get them with the state’s purchasing power, because I was quoted at a higher rate than you were?”

Listening to local leaders first — instead of coming in and telling them how the program was going to work — highlighted the core challenges of tooling and funding that Roemer architected his whole-of-state program to solve.

“The grant program came from getting out of the office, developing relationships with locals, and listening,” he says. “We didn’t — out of the blue — decide to give away our cybersecurity enterprise tools to people around the state.’ No. We heard from them what they needed, then we built our whole-of-state strategy to give it to them.”

Three areas where whole-of-state has made Arizona more secure

Roemer shares two areas where an effective whole-of-state strategy has meaningfully improved Arizona’s cybersecurity capabilities.

1. Accelerated Incident Response

“One of the hardest things about responding to a cyber incident is doing so quickly, because minutes really matter,” Roemer explains. “We need to respond quickly, with as few surprises and delays as possible — and whole-of-state lets us do that.”

For Roemer, whole-of-state accelerates incident response by building the relationships you need to tap during an incident before the incident occurs.

“With the whole-of-state approach, we know who we’re working with, and they know us,” he says. “They know who’s going to be responding. We have the MOUs and NDAs signed. We’re practically on a first-name basis. Having these relationships in place lets us share resources and work together during an incident to resolve it fast.”

2. Closing the Cybersecurity Skills Gap

“Workforce development is probably the single biggest cybersecurity challenge worldwide,” Roemer explains. “Not having enough people with the right skills contributes to every other problem that CISOs are struggling with.”

Roemer’s found a whole-of-state approach helps to solve the cybersecurity skills gap.

“Whole-of-state is all about collaboration and teamwork,” Roemer says. “If you lack a few cybersecurity FTEs, you’re going to be in a better position with a whole-of-state strategy because you’re sharing resources and information, you’re working smarter to address the issue, and you can leverage skills from other larger, fuller teams.”

3. Making Government Cybersecurity a Fair Fight

Roemer noted in part 1 of this series that even small municipal governments might come under attack from entire nation-states. Whole-of-state evens those odds.

“By coming together, we become one large team,” Roemer explains. “An attack on a local school district in Flagstaff, Arizona, is an attack on me, the CISO of the state. They may feel that they’re at a huge disadvantage, but they’ve got others in their backyard with the State of Arizona assisting.”

And the more local groups join the whole-of-state program, the bigger the support becomes for every member of the government’s cybersecurity efforts. “Beyond the state level, I’ve also got 15 counties to back me up, and that’s not even counting the cities and school districts,” Roemer says.

For Roemer, this final point is key for driving home the benefit of whole-of-state.

“This is why whole-of-state is so important when it comes to tackling modern cybersecurity problems — from solving workforce development challenges to pushing back against nation-state attacks. It makes cybersecurity a much fairer fight for everyone.”

---

Want to learn more? Take a deep dive into whole-of-state cybersecurity.