CIOReview
CIOREVIEW >> Public Sector >>

Now More Than Ever, Every Employee Must Be Part of Our Cyber Teams

Tim Roemer, CISO, State of Arizona
Tim Roemer, CISO, State of Arizona

Tim Roemer, CISO, State of Arizona

A few years back I had the honor of a lifetime to serve two years as a CIA officer assigned to the White House Situation Room working in the world’s most premier operations center.  While supporting the President and the National Security Council, I provided national security updates on a broad range of topics. This is where I became fascinated by cybersecurity; an issue I knew would become one of our greatest challenges.

While working in the West Wing, I became familiar with the famous “45 second commute,” which is the name given to the President’s walk from the White House through the colonnade and into the Oval Office. A commute time that takes just 45 seconds. Although I remember thinking that sounded like the best commute, I never imagined myself working from home with no commute, which I am now. Although I have to say the Rose Garden sure beats the view from my walk from my bedroom to my makeshift office on my kitchen table.

Okay, so what could be so bad about working from home and never sitting in traffic?  Well for starters, I’m a rare extrovert working in cybersecurity and I miss being with my team in person.  Although that’s not what keeps me up at night.  What keeps me up at night now is a cyber emergency caused by the new challenges of a mostly teleworking workforce. 

Not only are our employees more vulnerable in cyberspace while working from home, but they behave differently as well. There are both technology challenges and behavioral challenges from working from home. Sure we can put software solutions in place to help counter the new technology challenges, but we can’t make every decision for them at home. Since March, we have seen a massive increase in phishing attacks and websites blocked from our end users.  This shows both an alarming increase in internal and external threats that we need to contain.  We need every employee to make good decisions online in order to protect our data. 

The highly sophisticated attacks are out there, but most of the time it’s our own self inflicted wounds that hurt us most 

That’s why in Arizona we aren’t changing course; we are doubling down on one of our main cyber strategies, employee training. A year ago after being appointed the Chief Information Security Officer for the State of Arizona my first goal was to better educate all of our employees regarding the threats we face online. Thanks to the strong support from Governor Ducey, we were able to mandate annual cybersecurity awareness training for all state employees and we increased the quantity and quality of our anti-phishing training. 

This was an easy way to improve our cybersecurity posture at little financial cost to the state, as we already had licenses for training modules purchased for our own agency. Maybe it’s the former CIA officer in me with a background working for the world’s most elite human intelligence agency, but I believe cybersecurity is more of a human problem than a technology problem.  Most outsiders think hackers are relying on highly sophisticated tools and skill sets to force their way into our networks, but most of the time they are simply taking advantage of our mistakes.  Now don’t get me wrong, the highly sophisticated attacks are out there, but most of the time it’s our own self inflicted wounds that hurt us most.  

A perfect example is all the attention that ransomware attacks have received in the news the past few years. Although highly concerning, nearly 99% of ransomware attacks succeed because criminals get victims to click on malicious links or exploit weak passwords to gain access to systems. 

Since there is no silver bullet solution and you will never be able to block every phishing email due to compromised email accounts, you must invest in your end users. This is why training and investing in your employees is imperative. As leaders we must put our workforce in the best position possible to protect our information. In Arizona our state cyber team likes to say that we turned our 16 person team into a 36,000 person team by providing quality training for every employee to be part of our cyber team. They now know what to look out for and how to protect themselves online.

We are also trying to have a little fun in the process by rewarding employees that report real phishing emails by bringing those Goldfish crackers, Swedish Fish candy, and even chocolate coins. At the end of the day, they are our best line of defense by preventing phishing attacks from succeeding and saving us lots of coins. 

As the world adjusts to working through a pandemic one thing is certain, technology will play an even bigger role in our lives and securing that technology will become more difficult every day.  Nobody has a crystal ball to predict exactly what will happen, but criminal hackers will certainly continue to exploit our vulnerabilities to achieve their objectives and if we can take care of our biggest vulnerability, our people, and then we will be in a much stronger position to protect our organizations. 

So let’s enjoy our short commutes to our home offices, but let's not sacrifice our security while doing so. 

Read Also

How to Build a Techforce

How to Build a Techforce

Christian N. Schmid (Managing Director and Partner), Raffael Kazda (Associate Director), Daniel Wagner (Manager) and Annika Melchert (Senior IT Architect), all core members of the Banking Practice Area of BCG and BCG Platinion
Data Archival - Rest in peace

Data Archival - Rest in peace

Himali Kumar, Director Data Management, AutoZone
What Does RBG's Death Mean for the Investing World?

What Does RBG's Death Mean for the Investing World?

Jenny Abramson, Founder & Managing Partner, Rethink Impact
The New Bridges and Barriers to an Integrated World view

The New Bridges and Barriers to an Integrated World view

Brandon Beals, Director of Data & Analytics, Dot Foods
Data Literacy –What is it and Why Should Your Company Care?

Data Literacy –What is it and Why Should Your Company Care?

Lisa M. Mayo, Director of Data Management, Ballard Spahr LLP