Q&A: Pennsylvania’s CISO on Risk Reduction, Zero Trust and the Next Cybersecurity Frontier

STATETECH: Looking ahead 12 to 18 months, what are your top cybersecurity priorities, and how do they fit into the state’s broader strategy?

RITTER: Pennsylvania delivers IT through a centralized model, and continuing to strengthen that model is critical as we move forward. From a cybersecurity perspective, centralized governance allows us to deliver consistent services across agencies through our Enterprise Information Security Office.

From a technology standpoint, our priorities will continue to include zero trust, identity and access management, and strengthening our vulnerability management program. All of it ties back to reducing risk, improving service delivery for residents and reducing unnecessary complexity across the environment.

STATETECH: Zero trust is a major theme across state and local government. How far along is Pennsylvania on that journey?

RITTER: We’re making steady progress and continuing to mature. Zero trust allows us to simplify and standardize how we deliver secure services to employees and partners, regardless of where they’re working.

Historically, security was built around a perimeter — fortifying networks inside physical buildings. Today, our workforce is far more distributed. We want to provide a consistent, secure experience without forcing users into outdated models like constant VPN use. Security shouldn’t get in the way of work, and zero trust helps make security more seamless and embedded in the user experience.

STATETECH: How does Pennsylvania’s hybrid work environment factor into that?

RITTER: It’s very relevant. About 65% of our workforce is in the office every day, while the remaining 35% work in hybrid arrangements. Very few employees are fully remote. That mix makes it essential to deliver secure access regardless of location, which reinforces the importance of zero-trust approaches.

STATETECH: What types of tools or architectures are you leaning on to support zero trust?

RITTER: At a high level, it’s about moving the perimeter toward the cloud where appropriate and building security into the desktop and user experience. We’re moving away from legacy perimeter-based models and toward architectures such as secure access service edge, which supports modern work patterns while maintaining strong security controls.

READ MORE: Connecticut's CISO advocates for reducing the sprawl of security tools.

STATETECH: Vulnerability management and modernization are ongoing challenges for government. What’s on your punch list there?

RITTER: Visibility is everything. You can’t secure what you can’t see. Our goal is to identify risk quickly, understand where it exists and remediate it as efficiently as possible.

Zero-day threats are always top of mind. When something emerges, we need to be able to react immediately — identify affected systems, mobilize teams and remediate quickly. That requires the right tools, the right processes and the right people working together. Agility is critical.

STATETECH: That sounds closely related to what we’ve been hearing more about in terms of observability. How is Pennsylvania approaching that?

RITTER: Observability is a top priority for us. Over the past few years, we’ve made significant strides in improving our ability to see vulnerabilities, identify emerging threats and track remediation through to completion. The goal is not just to identify risk, but to have high confidence that it’s actually been addressed.

STATETECH: Federal cybersecurity grants have driven a lot of shared services and “whole of state” approaches. How has that played out in Pennsylvania?

RITTER: Whole-of-state cybersecurity has been a focus here for years. We work closely with counties, municipalities and organizations like the County Commissioners Association of Pennsylvania and the Pennsylvania State Association of Township Supervisors. We began cultivating these relationships more than a decade ago to understand how the commonwealth could be more of a partner.

The State and Local Cybersecurity Grant Program has helped us expand shared services — including monitoring and security tooling — and serve more organizations such as K–12 schools. The idea is simple: No matter where Pennsylvanians receive government services, those systems should be secure. Reducing risk statewide benefits everyone.

DIVE DEEPER: Procurement officials make the case for state cybersecurity insurance. 

STATETECH: AI inevitably comes up in these conversations. How has AI affected security operations in Pennsylvania, both positively and in terms of risk?

RITTER: AI and automation are powerful force multipliers. They offer real opportunities to streamline operations and improve efficiency. Pennsylvania established an AI governing board in September 2023 to guide responsible adoption, and that reflects the administration’s commitment to being a leader in this space.

At the same time, AI introduces new risks. We’re seeing more sophisticated phishing attacks, faster attack cycles and a lower barrier to entry for threat actors. AI has changed the speed and scale of cyberthreats, which means we need equally capable tools and strategies to defend our networks.

STATETECH: What are you most looking forward to hearing or discussing at NASCIO Midyear 2026?

RITTER: This year, I’m most looking forward to having conversations about cybersecurity and enterprise risk management, particularly how states are strengthening resilience in the face of a rapidly evolving threat landscape. I’d also like to hear how peers are approaching AI adoption and governance; how they’re finding practical, responsible ways to leverage these technologies while managing risk and maintaining public trust. Discussions on modernization, data strategy and workforce readiness are always valuable, especially as states work to deliver more secure, efficient digital services.