Arizona’s CISO and Homeland Security Director Explains How a Whole-of-State Strategy Can Hold Off Cyberattacks

Tim Roemer — Arizona’s CISO and Director of the Arizona Department of Homeland Security — must solve a large set of problems.

He must secure the state against cyberattacks from national militaries.

He must defend against a large attack surface filled with ever-growing vulnerabilities.

And he must do so across a complex, fragmented set of agencies and institutions.

His solution? Implement a whole-of-state strategy across Arizona.

Here is Roemer’s story.

Cybersecurity is Homeland Security

Roemer began his career with “one really good internship” with the CIA. He was passionate about counterterrorism and spent 10 years with the agency.

During the final two years of his tenure, he gave national security updates to the President, Vice President, and National Security Council. Those meetings exposed him to the reality of nation-state cyberattacks and the importance of cybersecurity.

Roemer left the CIA and returned to his home state of Arizona. “I wanted to work on security issues that affected friends and family in my own backyard,” he explains.

He first worked as the deputy director of Arizona’s Department of Homeland Security and was eventually appointed the state’s CISO and Director of the Arizona Department of Homeland Security.

When he took on these roles, Roemer received a mandate from Arizona’s Governor Doug Ducey — expand statewide cybersecurity and bring it into the Department of Homeland Security. “He told me ‘Cybersecurity is Homeland Security,” Roemer says.

Here’s how Roemer did just that, and what he’s learned along the way.

“In state and local cybersecurity, we’re expected to hold off national militaries with unlimited resources from around the world — all day, every day.”

Fighting a battle with no borders

Why Cybersecurity Matters to States Like Arizona

In some ways, the deck is stacked against Arizona’s cybersecurity leaders, and they must meet a far different set of expectations than physical security leaders.

“In no way is the State of Arizona expected to defend our physical border from a nation-state,” he explains. “If Russia was physically trying to invade Arizona’s southern border, I don’t think people would expect us to be able to hold them off.”

The opposite is true for the state’s cybersecurity efforts.

“In cybersecurity, we’re expected to hold off the Russian military, as well as the Chinese, the North Koreans, the Iranians, you name it,” Roemer says.

This creates a fundamentally different set of pressures for Roemer and his teams.

“This is why cybersecurity is so important right now — because it has no borders,” he explains. “People can attack you with unlimited resources from around the world, and you have to defend against all of it — all day, every day.”

To meet these expectations — and to secure his state against a wide range of well-funded global attackers — Roemer needed to make a bold move.

Here’s what he did.

Bringing a “whole-of-state” cybersecurity strategy to Arizona

Arizona’s Governor Ducey didn’t appoint Roemer to just keep the trains on the tracks. He appointed Roemer to transform how the state approached cybersecurity.

“The governor appointed me to break the status quo and to try new things,” Roemer explains. And that process began with an honest evaluation of the current affairs.

“I’m a big believer that you need to know your strengths and your weaknesses,” he says. “You can play to your strengths, but your adversaries are coming after your weaknesses — and I knew we had weaknesses and vulnerabilities they could exploit.”

Like nearly every state, Arizona had a fragmented approach to cybersecurity. Each agency and institution used its own processes and tools, and best practices built at the state level were not reaching the local level, and no one communicated enough.

Thankfully, Roemer had a solution.

“I saw that implementing a whole-of-state approach would help everyone,” he explains. “If state and local leaders could ‘buddy up,’ come together, and start sharing resources, information, and best practices, then we’d be in a better position.”

Whole-of-state is an emerging security strategy. In it, leaders at every level of a state’s government collaborate around security issues. The strategy has many goals, but for Roemer, a successful program came down to one thing — increasing teamwork.

“Cybersecurity is a complex problem, and no one has all the answers,” he says. “Whole-of-state is important because it’s about teamwork. It’s about collaborating and bringing the good guys together to fight back against the bad guys.”

Here’s how Roemer brought whole-of-state to life in Arizona.

Making whole-of-state real: Focusing on four key elements

Roemer built a successful whole-of-state program by focusing on four elements.

1. Adopt a flexible, long-term mindset

“Whole-of-state — and cybersecurity in general — is a work in progress. We’re fighting an evolving threat, and it changes every single day. The moment that we think we have it all figured out is the moment when we’re going to get hit,” Roemer says.

2. Build relationships before you need them

“You need to get out of your office. You need to meet people and develop enough trust and collaboration to bring more people to the table — and you have to do it ASAP. We always say within our field, ‘You can’t be passing out business cards in an emergency. At that point, it’s too late,” Roemer says.

3. Figure out the funding

“You need a grant program. Thankfully, Governor Ducey saw what we were up against in cybersecurity, and we came up with $10 million per year to help school districts, tribes, city and county governments, and everyone else build cyber resiliency,” Roemer says.

4. Keep governance top-of-mind

“We have a cyber grant task force that’s a two-way street. We listen to locals about their needs, we provide them with solutions, and we find ways to implement those solutions. Our committee and task force travel the state to have those conversations, to pair the right tools with the right organizations, and to make sure those tools work,” Roemer says.

Take a deep dive into whole-of-state cybersecurity.

Arizona’s whole-of-state goals and outcomes

Roemer’s carefully watching his whole-of-state program and evaluating its success against a handful of critical goals and outcomes. These include:

• No incidents. “What I really want to show is zero successful cybersecurity incidents against our local governments.”
• Faster remediation. “We want to accelerate our ability to identify and remediate our vulnerabilities.”
• Measurable improvement. “We want to use metrics to paint a picture about how we’re helping organizations better secure themselves than before.”
• Full utilization. “We hope to see local governments spend every dollar that the state has given us.”
• More funding. “My goal is to start with the $10 million, prove it’s effective, show we’re getting good ROI, and then advocate for more funding.”

Already, Arizona’s whole-of-state program has generated some meaningful benefits — especially when it comes to information sharing at different levels of government.

“I can’t protect 7.5 million Arizonan’s data from an attacker I don’t know about,” Roemer says. “But with whole-of-state, we’re now sharing information in real time. I’m stronger as a CISO because I know what other people are seeing, and locals are better protecting themselves from attacks we’re seeing at the state level.”

Lessons learned: The need for clear strategy and communication

Building a whole-of-state program has been a daily learning experience for Roemer.

“I’ve just tried to be a sponge and learn everything I can,” he says.

Yet two big lessons stand out for Roemer.

“You have to build comradery amongst the team,” he explains. “Cybersecurity is a very stressful arena to work in right now, and its challenges are extremely difficult. It’s critical to make sure the entire whole-of-state team knows why we’re doing it, what’s at stake, and how we’re going to combat our threats.”

For Roemer, building this true team effort depends on one thing — communication.

“You have to effectively communicate what the strategy is,” he says. “We found that anytime someone didn’t support this program, it was because they didn’t know who we are, what we’re doing, why we’re doing it, how we’re doing it, and what tools we’re giving them.”

Ultimately, the two lessons work hand in hand.

“When everyone knows your strategy — and you communicate it effectively — they come to the table very quickly, and we build good partnerships that keep us safer,” Roemer says.

---

This is part 1 of our interview with Tim Roemer, Arizona’s CISO and director of the state’s Department of Homeland Security. In part 2, we will explore more details of Arizona’s whole-of-state program, including how they share information through a central command center and how their program has improved incident response.