NASCIO 2023: Arizona's Ryan Murray Outlines Whole-of-State Cybersecurity

STATETECH: Can you speak to the benefits of such a structure?

Murray: One of the major benefits right off the bat is elevating the message of cybersecurity. It’s no longer the case that the CISO is subordinate to the CIO and that the CISO reports to the CIO. When that happens, there are potential conflicts of interest and there is competition for budget. The CIO is focused on digital transformation and modernizing technology stacks. The CISO is not focused on those things. Sure, they are enabling them and helping to do those things. But their missions are fundamentally different. 

There is potential conflict if the CISO is subordinate to the CIO and you are fighting to divide up the same pot of money. Things are going to get dropped. 

In the state of Arizona, we made those two positions peer positions several years ago, so the CIO and the CISO report to the same person, which was a really good start. Now, it’s a conversation with two people on equal footing sitting at the table to talk to their leadership about what’s important in IT and cyber. 

Moving the CISO out of the administrative organization has helped to level up the message. The state CISO became a director-level position talking directly to the governor about cybersecurity and everything else going on. 

It may be a tagline, but it’s also true: Cybersecurity is homeland security. It’s no longer just a technology problem. We are focused on critical infrastructure and sharing intelligence and supporting our local government entities. It’s more than patching that server in the state government IT office. There’s so much more to it.

I feel like it’s been incredibly successful. I have a great relationship with our state CIO, J.R. Sloan, and his team. It’s always going to be a companion relationship because technology is always involved in what we do in cybersecurity. We benefit from being able to partner to do that work rather than having it be subordinate.

READ: Arizona CIO J.R. Sloan discusses accomplishments, capabilities and StateRAMP. 

STATETECH: Does this help to make your funding arguments less painful?

Murray: State government funding is always going to be painful. You have to argue why your thing is the most important thing in the room at a given time. That said, cybersecurity is not just a buried line item now that we direct the mission to the governor’s office and we have that as an executive priority and we are not now competing for those abstracted dollars that go to the Department of Administration or the enterprise technology team. It’s not deep in the budget report; it’s literally the entire budget of what my division does. We can say that we are spending X number of dollars on enterprise cybersecurity to support our state agencies as well as our local governments instead of saying that X number of dollars went to the Department of Administration and we don’t know at a glance how much went to cybersecurity.

Having a clear message certainly helps: This is exactly how much we are spending on cyber. We can go directly to the legislators, the decision-makers, the governor's office, and we can clearly state we are spending X number of dollars on this mission. And this is why we are doing this.

Click the banner below to subscribe to StateTech and keep in touch after the conference.

STATETECH: Can you give us some insights into your current priorities?

Murray: I’m going to shy away from buzzwords like zero trust at the moment. “Whole of state” has become a buzzword, which is unfortunate. But that’s the priority.

My mission focuses on two sides of the coin: supporting our state agencies from an enterprise cybersecurity perspective and supporting local governments from a cybersecurity perspective by providing them with the tools that they need.

From the state agency side, it’s about maturing all of the things that we are doing. Fortunately, the larger state agencies are doing a really great job of protecting themselves. They know what they are doing. The state is in a relatively good position.

My concern is on the local government side. We are going out there to talk to cities, counties and school districts that literally have nothing. And they have been hit time after time with ransomware attacks and security incidents that really impact them and cause their organizations to cease to function. They have no way of dealing with it.

We focus on lifting them up to the same level as what the state is doing. That’s what this program is all about: leveling the playing field. We want cities, counties, school districts, tribal nations and everyone else across local government to be able to defend themselves against sophisticated cyberattacks in the same way other large organizations can.

My priority is just doing the basics well. It’s unfortunate that we must prioritize this. But we go out there to make sure that we are patching our stuff appropriately, we are identifying our vulnerabilities, we are implementing multifactor authentication on our external systems. 

CISA says that these are the bare necessities that you need to be doing. Cyber assurance says these are the bare necessities that you need to be doing. We are still struggling with it in some places. A lot of it comes down to priorities and resources. We are trying to help the most vulnerable make themselves stronger and do some of those core functions. 

Click the banner below to meet StateTech's 2023 Influencers, including Arizona Interim CISO Ryan Murray. 

STATETECH: Does Arizona’s Statewide Cyber Readiness program strive to bring local agencies to some sort of baseline level? Can you describe how you view success?

Murray: Yes, we are trying to bring everyone up to a baseline level. We want to level the playing field across the state of Arizona to where at least the government is doing the basics well. That could involve some sort of advanced endpoint protection, making sure we are protecting against malware, providing multifactor authentication tokens to hopefully prevent remote access attacks, or providing a system for them to patch and to understand their vulnerability exposures. 

We also provide security awareness training and phishing campaigns for all of those users. As we know, most of the attacks that we see are because of system user misconfigurations or phishing attacks. We must inform people as to what the attacks are and why it’s important to pay attention.

It’s really about prioritizing the bare necessities and ensuring that those are getting distributed everywhere.

We absolutely have found success. Several of these entities have been hit with security incidents that have been impactful in the past. But now they have deployed our tools. And we have seen things happen but they have not been impactful. The attacks are stopped. Previously, it would have been a really bad day for them. But now, an incident may impact one workstation or impact one user and then things are locked down and things are cleaned up. Previously, there would have been nothing to prevent that from taking out the entire department. For me, that’s a win.

STATETECH: How do you make sure you are getting to everyone? I imagine that there are some local government agencies that come to you and ask for more help, and then others that don’t engage. 

Murray: We are doing a ton of outreach. I literally drive around the state to talk to cities and counties. We did several marketing roadshows where we visited every region of the state to talk about the resources available and how governments can participate. We let them know the program exists and thank them for participating. We also do a lot of listening. We figure out what the pain points are and see how to help and to plan to achieve a future state.

STATETECH: I read a StateScoop interview where you talked about working with the private sector as well. When we talk about working with the private sector, is it more complex than simply contracting? Can you give us some insights on that?

Murray: There are two pieces to that. One is all of the tooling that we are working with, partnering with vendors to be able to obtain these high-powered, sophisticated defense tools that we wouldn’t have otherwise. I am certainly not going to hire a bunch of developers to program solutions when there are proven tools available commercially. So, we work with our vendors to provide these services to us and our partners.

The other piece is information sharing. We talk a lot about how we look at the entire state of Arizona as one attack surface. An attack against one of us is an attack against all of us.

If a private sector organization is being hit with a cyberattack, we want to be able to share that information to other private sector organizations and to the state government and to the federal government so that we can have a holistic perspective on what the true threat to the state looks like and then better protect everyone else.

We partner with an organization called the Arizona Cyber Threat Response Alliance to act as a bridge between the private and public sectors so that we can gather and share information.

We are all seeing the same thing and we are all being attacked by the same actors. Let's share the information so that we can better protect each other.

MORE FROM STATETECH: State and local agencies improve customer service for citizens.

STATETECH: What are your goals for the near future?

Murray: The big grand vision is covering all local government entities everywhere across the state of Arizona with all of the tools that we can provide. Right now, we have finite dollars that don’t allow us to do that. We have to prioritize which agencies we can help. Right now, we are good with everyone who has applied and been awarded assistance.

We are deploying licenses to them without restriction. That said, next year we may run out of licenses. Then we may start saying, “We don’t have anything that we can provide to you at this time.” So, as usual, we need more money to make this thing as big as we want it to be. That’s at the top of our list.

Second, and this is probably the No. 2 pain point that we hear from our local government entities, is human resources. They need additional help managing these tools and actually paying attention to them once they have been deployed. A lot of times, we may see an organization like a small school district where they have one person doing all of the IT, and they cannot handle managing cybersecurity tools on top of all of the other stuff that they have been doing.

So, we use funds and resources both internally from our team to help and from additional partners such as Amazon Web Services and CrowdStrike to provide some professional services, contract services and staff augmentation where it makes sense to keep everything flowing and moving. 

STATETECH: Is there federal cybersecurity grant money in the pipeline to help fund these initiatives?

Murray: Yes, that is exactly what we are doing with some of the funds that are coming from the feds. We already have bought the tools that we want. We are already using them. We are using state dollars to purchase all of that. 

Knowing that we have most of the tools and licenses, we are using federal money on the professional services side and for additional support and services to amplify what we are doing. Those funds are only good for the next four years. Who knows what that is going to look like in the future.

STATETECH: A lot of folks have talked about shared services as a good use of those funds and for sustainability.

Murray: That’s exactly what we are going to do. And CISA and FEMA are pushing for states to deploy statewide centrally managed shared services as opposed to giving out dollars. It doesn’t make sense for a small city to request $5 when they could get $100 worth of services from me for the same amount.

We are providing this stuff at no cost to local entities, which I think is unique. A lot of states are looking at chargeback models or cost sharing or something like that. But we wanted to make this as low-friction for the local entities as possible and drive up adoption as much as we possibly can. I don’t think it should be a matter of how much money you have in order to have these cyber protections. So, it’s important for the state to take on that border and alleviate that cost for local governments that may be struggling already.

Keep this page bookmarked for our coverage of the NASCIO 2023 Annual conference. Follow us on X, formerly known asTwitter, at @StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO23.