Site icon GovLoop

Whole-of-State: We’re in This Together

Arizona was among the first states to adopt whole-of-state cybersecurity, launching its Cyber Command in 2021. It linked threat detection and response efforts across local governments and agencies and made essential security tools available, creating a security fabric that better protects everyone.

We talked to Ryan Murray, state CISO and Deputy Director of the AZDOHS, about how the project started and how it works today. He outlined the steps that made the broad approach a reality.

Step One: Recognize That Cybersecurity Is More Than Tech

Officials began by moving the state’s cybersecurity operations from IT to AZDOHS, demonstrating that cybersecurity is not simply a technical issue, but a more comprehensive defense. “How do we make sure we’re protecting all the small, underserved cities and counties? How do we start talking about the other government entities, like public school districts or transit authorities?” Murray said. “We need to be looking across the entirety of the state of Arizona.”

Increasingly, government agencies at all levels are interconnected, “so a threat realized and exploited and manifested in one of those entities is really a threat that we all have to deal with,” Murray said.

At the same time, smaller organizations have significantly fewer resources and some lack IT departments altogether. “They’re relying on bubblegum and twine just to keep the lights running,” Murray said. “So, it made sense for us to say, ‘Let’s look at this holistically, as a big picture problem, where we can all come to the table and help each other and protect each other.’”

Step Two: Share Information

In Arizona, outreach began through an existing informal network of officials responsible for cyber in their communities. Information sharing was the critical component early on. “We were reaching out and talking to these entities, saying, ‘We have information [about] a specificphishing email or a specific [distributed denial-of-service] attack,’ and pushing that out to the broader community,” Murray said.

Today’s AZ-ISAC is the product of that early information sharing. It now includes more than 1,000 people on a Slack workspace, covering about 400 state and local government entities, as well as links to centers in Maryland and Colorado. “We’re sharing and talking to each other in real time [using] that rapid, real-time information-sharing mechanism,” Murray said.

Step Three: Make Resources Available

The next step came in 2022-23, when Arizona allocated funds to launch its Cyber Readiness Program, which offers a suite of cyber resources to cities, local government, K-12 schools and tribal agencies. “We were providing them at no cost, knowing that [some organizations may] never be able to afford these tools themselves,” Murray said.

Buying centrally also helps agencies that are too small for vendors to consider. “A lot of these companies won’t even talk to someone for less than 1,000 users,” he explained.

Under the Cyber Readiness Program, agencies can access security awareness training, endpoint detection and response, multifactor authentication, and a web application firewall to protect public-facing services against DDoS attacks and website vandalism. A converged endpoint management system allows the state to push tools and software to the connected agencies and centrally manage updates, software patches and compliance.

More recently, the program used federal State and Local Cybersecurity Grant Program funds to add protection against malicious email. They’ve also used SLCGP grants to hire contractors to help customers deploy and configure tools and services.

Step Four: Make the Case

To get local organizations onboard, Murray brought the message to them: “In the beginning, I literally drove around the state — me and a couple of my staff members doing these road shows.” With bipartisan support over two state administrations, Murray could reassure agencies that the initiative was free and “as permanent as anything is in government.” Even better, it produced data that could help make the financial case. “You can take that to your town council or board of supervisors and say, ‘Look, this is how we’re saving the city or the county money by participating with the state on this,’” he told them.

Another trust-building factor was a promise not to overreach. “We give them the tools, we help them to get up and running, and then we stand hands-off and let them manage their own environments,” Murray said. “We make it very explicit with our stakeholders that we won’t make any changes in their environment without their approval. We want to make sure that trust level exists where they know we’re not going to just go blow up their stuff without their permission.”

Step Five: Expand the Network and the Workforce

The system is a boon for all cities and counties, even those with better funding that can afford their own cyber resources. “As we’re deploying the services that are helping to protect these environments, they’re also gathering a ton of telemetry of what those attacks look like. If we’re all using the same tools, and we’re all part of the same community, we can collect that information and then share it with them,” said Murray.

AZDOHS is also building a cyber workforce with student-led, state run regional security operations centers. The pilot is funded by SLCGP, with the hope that the state can eventually support the effort.

“We’re looking at this from an operational support standpoint,” Murray said. “All these cities and counties are struggling to hire cybersecurity staff. So, we’re partnering with our community colleges to put students directly to work, monitoring for cyberattacks and defending against them in their own communities.” The students also lighten the load on senior analysts by filtering out false positives and low-level alerts.

The program has additional benefits. It’s also a workforce and jobs program that teaches and trains the future cyber workforce. “We’re giving them that hands-on experience in a real-world environment,” Murray said. “Being able to put on your resume [that you] worked two to four years with the Arizona Department of Homeland Security as a security analyst gives you a major leg up when you’re out there looking for jobs.”

Cybersecurity Is a Team Sport

Arizona’s experience shows that whole-of-state brings people together. “We often say cybersecurity is a team sport, or it needs to be a community effort,” Murray said. “We’re really living that. If a city down the road gets hit with a ransomware incident, that’s just as much my problem as it is their problem. And it’s the citizens’ problem, too. Those services are no longer being delivered.”

Ultimately, that’s why whole-of-state is so important: It keeps agencies up and running.

“Cybersecurity is that core foundation across all of the missions of state and local government,” Murray said. “We’re investing in quiet days to make sure that we can continue to provide those services to our citizens.”

This article appeared in our guide, “Cybersecurity is Now a Shared Mission: How Agencies Are Collaborating to Improve Security.” To learn more, download it here:

Image of Tucson by Kieran MacAuliffe from Pixabay. Portrait of Ryan Murray courtesy State of Arizona.

Exit mobile version