Please tell us a bit about yourself, your background, and your journey of becoming a CISO for the State of Arizona
I am a 27-year cyber security veteran with experience in large scale data center projects, information security and assurance, and a strong networking background. My journey unfolded over the course of many years across several organizations but I have always had an eye for detail and outside of the box thinking. I have held the roles of Security Specialist, Security Manager, and CISO over the course of my career. All of the environments and partner interactions throughout my career have helped prepare me for the CISO role because it is much more than technology and people – it is about culture, business continuity, integrity and protection.
What are some challenges and top cyber risks you deal with as a CISO of a state government?
CISOs deal with staff vacancies, talent retention and burnout across the board; however, the cyber risks vary by industry. A state government has regulation and compliance concerns as well as the responsibility to protect citizen data and provide key public services. Some of the more prominent cyber risks include malware and ransomware, but I would say it expands out into overall information protection and availability.
What are the most significant changes you’ve experienced in your business as a result of the increase in cyber attacks in recent years?
Keeping up with the changes in threat vectors with limited budget flexibility, we all get asked to do more with less, but that is not infinitely sustainable. Budgets may be locked into specific categories or containers and it is difficult to reallocate those funds to competing technologies or solutions. Cyber attacks are becoming increasingly complex and many times have multiple layers which makes them more challenging to defend against.
What technologies are you currently most excited about or most worried about in terms of cyber risk and why?
Artificial Intelligence / Machine Learning. I think there is a lot of potential for significant gains in automation and consistency, but anytime a technology can be used to enhance services or increase effectiveness – it can also be used against the organization by an attacker. The risks favor the view of the observer. If you are defending an environment it may be a risk to not deploy protective layers, but if you are attacking an environment it may be a risk to utilize tools and scripts for fear of discovery or worse, blocking and eradication. AI / ML have the ability to reduce or increase the workload, depending on which side of the fence a person is on.
On a more personal note, what advice would you give to your 21-year-old self?
Never assume you are the smartest person in the room. Take time to listen to others and ponder on their point of view or perspective. Keep a level head and search for the big picture, and always solve the correct problem.