Roemer spent 18 years in the public sector. He told Government Technology that he decided last year that he would switch to the private sector once former Gov. Doug Ducey’s tenure ended.
At ThriveDX, Roemer will take a different angle to tackling some of the cybersecurity challenges he’d wrestled with while at the state.
“Having that talent pipeline to be able to recruit and retain cybersecurity talent” was one of his greatest challenges as CISO, Roemer told GovTech. “Two of the biggest areas that will give you the best return on investment and make the biggest difference in cybersecurity ... are training up the quality and quantity of our cybersecurity workforce nationwide. We simply don’t have the talent and the numbers, the resources out there.”
While with Arizona, Roemer was able to add six new cyber positions. But his recruits came from other government entities, leaving vacancies behind them in entities like the Department of Corrections, Department of Revenue, National Guard and the city of Phoenix, he said.
Shuffling the cybersecurity workforce like this leaves gaps: “In cybersecurity, one organization steals an employee, and then another organization gets hit because they don’t have the adequate workforce.”
Roemer said the talent pipeline needs to be widened through trainings and upskilling and reskilling offerings, especially those that can reach beyond traditional candidate pools to bring more diverse perspectives into the field.
Online boot camps are a fast way to train up new entrants to the field and can be a more accessible option for those whose circumstances may not suit studying at university, Roemer said.
“There’re great university cybersecurity programs out there, but they’re not producing enough students every year to be able to make a dent in the actual number of cyber vacancies around the country,” Roemer said.
As for upskilling, virtual employee trainings can be easier to schedule than those that require staff to go on-site to cyber ranges.
It’s not just the cyber professionals who need more training options. Any staff members’ slip-up could give attackers an advantage.
There are plenty of ways for mistakes to occur, Roemer said: “It’s an account compromised by poor cyber hygiene. It’s somebody clicking on a phishing email. It’s somebody at the working level who didn’t patch or misconfigured a firewall or any number of things that are human error.”
As CISO, Roemer mandated cybersecurity awareness trainings for all state employees, and upped the frequency and difficulty of phishing tests to keep everyone vigilant.
Organizations also need to stay on top of evolving social engineering tactics. That now means looking beyond just email-based phishing to also raise awareness about similar schemes sent through text message, a ploy known as smishing, he noted.
4 YEARS AS CISO
Roemer wasappointed CISO in 2019. As he looks back at his tenure, he’s particularly proud that the state grew its cybersecurity team, took a whole-of-state-government approach and established the state Cyber Command center.
The state also put a spotlight on cybersecurity and brought it under the umbrella of homeland security. That shift saw Roemer gain the unusual distinction of heading the state Homeland Security Department while also retaining his role as CISO. His successor at Homeland Security may not follow in this path, however, and could appoint someone else to the CISO position, Roemer said.
If Roemer were to give advice to the next CISO, it would be to listen to other agencies that will be impacted before making decisions, and to avoid feeling wedded to vendors that are no longer meeting needs.
“There’s a lot of government organizations out there that are afraid of change, because it’s time-consuming to learn a new tool. It’s time-consuming to go through a new procurement process,” Roemer said. “[But] if one tool isn’t providing you the service that you need and the caliber that you need, you have to re-compete that — you have to give somebody else a shot.”