STATETECH: Does Arizona’s Statewide Cyber Readiness program strive to bring local agencies to some sort of baseline level? Can you describe how you view success?
Murray: Yes, we are trying to bring everyone up to a baseline level. We want to level the playing field across the state of Arizona to where at least the government is doing the basics well. That could involve some sort of advanced endpoint protection, making sure we are protecting against malware, providing multifactor authentication tokens to hopefully prevent remote access attacks, or providing a system for them to patch and to understand their vulnerability exposures.
We also provide security awareness training and phishing campaigns for all of those users. As we know, most of the attacks that we see are because of system user misconfigurations or phishing attacks. We must inform people as to what the attacks are and why it’s important to pay attention.
It’s really about prioritizing the bare necessities and ensuring that those are getting distributed everywhere.
We absolutely have found success. Several of these entities have been hit with security incidents that have been impactful in the past. But now they have deployed our tools. And we have seen things happen but they have not been impactful. The attacks are stopped. Previously, it would have been a really bad day for them. But now, an incident may impact one workstation or impact one user and then things are locked down and things are cleaned up. Previously, there would have been nothing to prevent that from taking out the entire department. For me, that’s a win.
STATETECH: How do you make sure you are getting to everyone? I imagine that there are some local government agencies that come to you and ask for more help, and then others that don’t engage.
Murray: We are doing a ton of outreach. I literally drive around the state to talk to cities and counties. We did several marketing roadshows where we visited every region of the state to talk about the resources available and how governments can participate. We let them know the program exists and thank them for participating. We also do a lot of listening. We figure out what the pain points are and see how to help and to plan to achieve a future state.
STATETECH: I read a StateScoop interview where you talked about working with the private sector as well. When we talk about working with the private sector, is it more complex than simply contracting? Can you give us some insights on that?
Murray: There are two pieces to that. One is all of the tooling that we are working with, partnering with vendors to be able to obtain these high-powered, sophisticated defense tools that we wouldn’t have otherwise. I am certainly not going to hire a bunch of developers to program solutions when there are proven tools available commercially. So, we work with our vendors to provide these services to us and our partners.
The other piece is information sharing. We talk a lot about how we look at the entire state of Arizona as one attack surface. An attack against one of us is an attack against all of us.
If a private sector organization is being hit with a cyberattack, we want to be able to share that information to other private sector organizations and to the state government and to the federal government so that we can have a holistic perspective on what the true threat to the state looks like and then better protect everyone else.
We partner with an organization called the Arizona Cyber Threat Response Alliance to act as a bridge between the private and public sectors so that we can gather and share information.
We are all seeing the same thing and we are all being attacked by the same actors. Let's share the information so that we can better protect each other.
MORE FROM STATETECH: State and local agencies improve customer service for citizens.
STATETECH: What are your goals for the near future?
Murray: The big grand vision is covering all local government entities everywhere across the state of Arizona with all of the tools that we can provide. Right now, we have finite dollars that don’t allow us to do that. We have to prioritize which agencies we can help. Right now, we are good with everyone who has applied and been awarded assistance.
We are deploying licenses to them without restriction. That said, next year we may run out of licenses. Then we may start saying, “We don’t have anything that we can provide to you at this time.” So, as usual, we need more money to make this thing as big as we want it to be. That’s at the top of our list.
Second, and this is probably the No. 2 pain point that we hear from our local government entities, is human resources. They need additional help managing these tools and actually paying attention to them once they have been deployed. A lot of times, we may see an organization like a small school district where they have one person doing all of the IT, and they cannot handle managing cybersecurity tools on top of all of the other stuff that they have been doing.
So, we use funds and resources both internally from our team to help and from additional partners such as Amazon Web Services and CrowdStrike to provide some professional services, contract services and staff augmentation where it makes sense to keep everything flowing and moving.
STATETECH: Is there federal cybersecurity grant money in the pipeline to help fund these initiatives?
Murray: Yes, that is exactly what we are doing with some of the funds that are coming from the feds. We already have bought the tools that we want. We are already using them. We are using state dollars to purchase all of that.
Knowing that we have most of the tools and licenses, we are using federal money on the professional services side and for additional support and services to amplify what we are doing. Those funds are only good for the next four years. Who knows what that is going to look like in the future.
STATETECH: A lot of folks have talked about shared services as a good use of those funds and for sustainability.
Murray: That’s exactly what we are going to do. And CISA and FEMA are pushing for states to deploy statewide centrally managed shared services as opposed to giving out dollars. It doesn’t make sense for a small city to request $5 when they could get $100 worth of services from me for the same amount.
We are providing this stuff at no cost to local entities, which I think is unique. A lot of states are looking at chargeback models or cost sharing or something like that. But we wanted to make this as low-friction for the local entities as possible and drive up adoption as much as we possibly can. I don’t think it should be a matter of how much money you have in order to have these cyber protections. So, it’s important for the state to take on that border and alleviate that cost for local governments that may be struggling already.
Keep this page bookmarked for our coverage of the NASCIO 2023 Annual conference. Follow us on X, formerly known asTwitter, at @StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO23.