Arizona isn’t the only state that has rethought its cybersecurity structure. Traditionally, CISOs have been senior-level executives that oversee the development, implementation and maintenance of information security programs to protect enterprise systems. However, as security threats — from ransomware demands to attacks on critical infrastructure — have become more advanced, the position has changed to meet those needs.
For example, when gov tech veteran Phil Bates first took on the role of Utah CISO in 2015, he said, “your typical adversary were groups like Anonymous. Then over time, I think the criminal elements saw that there was a lot of money to be made in [attacking government agencies], and it really changed the game overnight.”
After that, he added, nation-states started getting behind this trend as well, and the number of cyber attacks against U.S. public-sector organizations increased exponentially. Essentially, Bates explained, the threat landscape is always changing, and governments need to adapt.
For some states, this has involved CISOs moving out of the IT department and into other areas like homeland security or emergency management. For others, it means keeping the traditional CISO role and adding new cybersecurity-related positions to work in partnership with them. This signals a trend not only in how seriously governments are taking today’s cyber threats — homeland security is a far cry from a technologist embedded within the IT department — but whether one person is sufficient to lead the wider state cybersecurity enterprise.
NEW JERSEY
“You better have roller skates on to keep up with everything that’s happening,” Geraghty said. “It’s fast paced, but I’ve been in this role for almost six years now, and I wouldn’t want it any other way.”
Geraghty first joined the state in 2016 as NJCCIC director, tasked with monitoring security outside state government, including critical infrastructure, K-12 and higher ed, and local jurisdictions. He added the CISO role in March 2017.
As CISO, his job focuses on everything internal for the executive branch, including different departments and agencies, Geraghty explained. Holding both positions “provides a 360-degree view of the threat environment,” he said. “I can tell you that the threats that state government is getting are also hitting the energy sector, the water sector, small businesses, municipal governments and the like. So, putting all that together provides us with situational awareness and some threat intelligence, which is a big advantage.”
Like a small handful of other states, including Arizona, New Jersey’s reporting system for cybersecurity is somewhat new. As CISO, Geraghty reports to the head of the state’s Office of Homeland Security and Preparedness (NJOHSP), Laurie Doran. Plus, as director of NJCCIC, he oversees staff from the Office of Information Technology, NJOHSP and the state police.
Both Doran and Geraghty handle cybersecurity efforts, but their roles and approaches differ in a few ways. Doran and her team, for example, lead and coordinate New Jersey’s counterterrorism and preparedness efforts, which includes overseeing the state’s broader cybersecurity mission. Meanwhile, Geraghty focuses on developing and executing the state’s cybersecurity strategy.
“The roles intersect in our overall mission to help ensure the safety and security of New Jersey’s residents, visitors, businesses and government at the state, county and local levels,” Doran said via email. “I’m continuously communicating with the CISO on cybersecurity matters, especially in those instances where these threats may impact our preparedness and counterterrorism efforts.”
From Geraghty’s perspective, this mission is a constant work in progress.
“There’s not one point that we can say we hit the finish line, and we’re successful, because the attack surface continues to grow, and the threat actors continue to evolve,” he explained.
To anticipate these everchanging threats, Geraghty and his team are working on several areas to help safeguard the state.
“One of the things that we’ve done is we’ve grown over time, and we’ve been scaling to meet that growth, so automating a lot of things is something that we’re doing,” he said.
Another focus area is K-12 security, like cyber camps for high school students and training for teachers on how to teach cybersecurity in schools.
“I think the one thing everybody needs to know is that we’re all in this together,” Geraghty said. “What we’re starting to do is reach across the state boundaries and share that information and resources, and that collective defense is making us stronger and more capable.”
INDIANA
Indiana also has two dedicated leaders over cybersecurity: the state CISO and the cybersecurity program director. Unlike New Jersey, however, the roles fall under two different areas within the state government.
Chetrice Mosley-Romero is Indiana’s cybersecurity program director, a role created in 2017 under Gov. Eric Holcomb through an executive order that also formed the Indiana Executive Council on Cybersecurity. Mosley-Romero’s job is formally part of both the state’s Office of Technology (IOT) and Department of Homeland Security. However, she explained that her role serves as a shared resource for six agencies: the governor’s office, the lieutenant governor’s office, IOT, the Department of Homeland Security, the Indiana National Guard and the state police. She oversees the development and implementation of programs like the state’s Cyber Hub website and focuses on other efforts outside of state government.
The state CISO, Hemant Jain, falls under IOT alone. While his role used to focus internally, in the past several years it has evolved to also include Indiana’s cities and counties, “since local governments tie directly into the backbone of our state’s infrastructure,” Mosley-Romero said.
Despite having different areas of responsibility, Mosley-Romero and Jain work together “hand in hand” to reinforce the state’s security.
From Jain’s perspective, the director role is part of a larger effort to achieve a whole-of-state cybersecurity approach.
For instance, he said, when the executive order came about that created Mosley-Romero’s position, the governor’s executive council was more externally focused on partnerships with higher education, regional businesses and so on, whereas IT staff were more internally focused. Things started to change as the state began elevating business risks and talking about more strategic elements.
“You can’t just have the security team on the side or on the fringes, and you can’t have the operational team doing their own thing,” Jain said. “We really have to collaborate and work together.”
“We’re taking a look at some of the grant opportunities that are there, some of the initiatives from the NGA [National Governors Association] and the IIJA [Infrastructure Investment and Jobs Act], and the funding that’s coming in to see how we can level up the entire state,” he added.
For Mosley-Romero, the focus of her role is understanding all the missions of the state agencies that sit on the Indiana Executive Council on Cybersecurity, not just the government’s core agencies. “The advantage of this is being able to break down walls and barriers to help each agency get the help and resources they need,” she explained.
But as one might expect in a situation with a cyber leadership structure like Indiana’s, sometimes there’s confusion about what falls under the purview of the CISO and what is part of the cybersecurity director’s job, a “frustration point” that Mosley-Romero said has been resolved thanks to her frequent communication and collaboration with Jain.
As for what’s next, the state is focusing on building resiliency and ensuring that agencies and local governments are secure.
“How do we make sure that no agency is left behind, but whatever we do has enough scale and synergy where it’s not just for the few buildings we have here on our campus but reaches the town level, municipalities, counties and locals?” Jain said. “We need to make sure that they’re just as secure if not better because we all interchange data with one another.”
ENTER THE CYBER ADVISER
In another variation of this new era of security roles, states like Ohio and New York have added “cyber advisers,” positions independent of the traditional CISO.
Ohio Gov. Mike DeWine created the cybersecurity strategic adviser role earlier this year to help guide the state’s wide-ranging cybersecurity efforts across agencies, including the Adjutant General’s Department, the Ohio Department of Administrative Services and the Ohio Department of Public Safety. Kirk Herath, who has served as the chairman of the state’s CyberOhio initiative since 2019, was appointed to the post.
Herath pointed to three main components of the cyber adviser role in his state: coordinating with state agencies to secure the overall network; conducting a comprehensive assessment of the state’s capabilities to see what can be improved, which is part of a larger effort to help local Ohio governments better defend against, respond to and recover from cyber attacks; and developing the state’s cybersecurity workforce and identifying and implementing funding for potential programs to help secure Ohio.
At the end of the day, Herath said, “the CISO is more operational, and my role is kind of at a broader level of statewide governance.”
New York has a similar model. Gov. Kathy Hochul appointed Colin Ahern to be the Empire State’s first chief cyber officer this past June, and the new role was envisioned as one that would take a high-level view of state security, leaving the CISO, a position now held by Chris DeSain, to keep state IT systems locked down. And while DeSain is part of the New York Office of Information Technology Services, Ahern reports to Kathryn Garcia, the director of state operations.
“My role is located within a part of the organization called the executive chamber,” he said. “Basically, I take a broad view of the challenges from a cyber perspective and look at how we can address these challenges and bring in opportunities for New Yorkers to lead better lives.”
Taken altogether, these newer roles — cyber directors, advisers and the like — and reporting structures point to a similar notion: The task of supporting the daily operations of maintaining security across a state network while trying to take a 30,000-foot view of the broader threat landscape is no small feat. In many cases, two heads leading the charge may be better than one.