Ryan Murray — who was named interim state CISO for Arizona this week — recently explained to Government Technology how cross-government collaborations and local support are key drivers of its statewide cybersecurity strategy.
CYBER READINESS AND GRANT PROGRAMS
Late last year, Arizona began providing free cybersecurity tools to local and tribal governments under its Cyber Readiness Program. The initiative aims to bring all public entities up to a minimum level of security, regardless of local resource constraints.
“There are absolutely haves and have-nots when it comes to cyber protections,” Murray said. “We were trying to find a way to level the playing field, so to speak.”
The state offers five types of supports: advanced endpoint detection and response (EDR), multifactor authentication (MFA), web application firewalling, vulnerability assessments and security awareness trainings.
The state’s vulnerability assessments can alert local governments to software in their environments that is no longer maintained or patchable. This gives the entities a better understanding of their risks and can help IT teams make the case to executive leaders for replacing the old software.
The Cyber Readiness Program offers other advantages, too: having the state offer tools to local governments and field their implementation questions can foster tighter relationships across levels of government.
That kind of state-provided support is exactly what the federal State and Local Cybersecurity Grant Program (SLCGP) aims at as well, Murray said. Arizona intends to use the funding to expand the Cyber Readiness Program and fill any gaps in services and supports.
“We’re already doing what this program is intended to do, which is provide cybersecurity supporting services to our local governments that really can’t provide it to themselves,” Murray said. “So, we’re going to take this funding and just ramp our program up to 11.”
The state expects to finalize its cybersecurity plan this month — the last piece it needs to submit and get approved before it can receive the grant funds.
But even the current Cyber Readiness Program isn’t getting full use: not all local and tribal entities take advantage of the free tools.
The main obstacle appears to be personnel shortages. Even free tools take time to implement, after all.
“The majority of the concerns we’ve heard from our local government entities is, ‘I’ve got one IT person, and they’ve already got IT projects they’re doing. Now you want to give them five new things? How are they possibly going to implement those on top of all the other work that they’re doing?’” Murray said.
The SLCGP could potentially be used to hire temporary talent who can help local governments adopt the solutions.
“The biggest concern from our partners is, ‘I need help doing these things.’ So how do we use some of this money to buy professional services, to buy additional contractors, to maybe help them get some temporary work to get these things off the ground?” Murray said.
Arizona’s IT department has also been looking to help local governments cope with their limited IT staffing by assisting them in making connections with other entities able to offer support. That includes reaching out to see if neighboring local governments, local community colleges or members of other state agencies can share resources.
“We’re trying to crowdsource the heck out of this thing and provide that service and that support as much as we possibly can across the entire state,” Murray said. “…[For example], we can talk to other counties around them and say, ‘Look, your friends next door need some help. Can you guys help them deploy these tools?’”
ELECTION SECURITY
The state has also seen success in building collaboration around election security and working with the secretary of state’s office to connect county election officials.
“Historically, they’ve kind of just done their own thing,” Murray said.
But counties can benefit from sharing threat information and seeking assistance from each other.
During the last election, counties and the state were able to use a digital platform to stay in communication. This let them raise concerns in real time about potentially dangerous physical or cyber activity and request help from neighboring counties, the secretary of state or state Department of Homeland Security.
The state also has been able to help coordinate regular meetings of local election directors, where they can discuss best practices as well as walk through hypothetical security threat scenarios and discuss response.
“Say, for example, someone walks over and tosses a Molotov cocktail in one of your ballot drop boxes — what do you do? How does that get handled?” Murray said. “We can talk about some preparation to respond to it, some potential defenses against it, and then our recovery efforts afterwards.”
CIO & CISO: SEPARATING CYBER FROM IT AND BUILDING THE WORKFORCE
When it comes to staffing, Murray said it makes a significant difference when organizations can have a dedicated cyber professional, separate from their IT leader.
“A lot of these organizations, they’ve got one person, and that person may be focused on IT and cyber and legal and everything else that goes on there,” Murray said.
When one person handles both cybersecurity and IT — or when cyber reports up to IT — the security message risks being deprioritized, Murray said.
“A lot of times, we’ll find that IT operations and cyber — there may be a conflict,” Murray said. “… CISOs are trying to drive that security mission, drive that risk-based mission. CIOs are focused on technology, pushing business processes, or innovating the technology platforms themselves.”
Arizona sought to sidestep this tension in state government by putting its CIO and CISO on equal levels. That kind of approach lets both perspectives advocate their concerns to business leadership, helping the organization make more informed decisions, he said.
For many public-sector entities, hiring a cyber professional — while a nice idea — can seem out of reach. The cyber workforce is famously in high demand, leading to a struggle to recruit.
Arizona is in the “infancy” stages of discussing whether universities and regional centers of excellence could assist local governments’ cyber defense, Murray said.
“We’re uniquely positioned here in the state that we have these relationships. We’re building this community, of being able to tie to some of those regional centers of excellence, those regional education centers, and reaching into those talent pipelines that exist there and then put those people right there in the regions that they live and play and work in, to help their communities,” he said.