<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

SLCGP Past, Present, Future: An Executive Conversation with a State Cyber Leader

State of Arizona

“Cybersecurity is something that we all have to participate in. An attack against one of us in Arizona should be seen as an attack against all of us in Arizona. That includes all of our local governments and all of our private sector companies. We should be looking at this from a holistic, really, truly whole State approach.”

Ryan Murray

Deputy CISO

Virtru Voice of the Customer (VVoC) Webinar Recording

Air Date: November 3, 2022

 

 

 

When it comes to cybersecurity and local governments, three things are true:

  1. They generate and share massive amounts of sensitive data

  2. They often lack resources necessary to invest in modern cyber security controls

  3. They are increasingly targeted and victimized by malicious cyber attacks

Fortunately, help is on the way in the form of the State & Local Cybersecurity Grant Program (SLCGP), which is a key provision of the Infrastructure Investment and Jobs Act (IIJA) signed into law in November of 2021. The SLCGP itself is a first-of-its-kind federal grant program that will provide $1 billion to state and local governments over four years to strengthen cyber security capabilities in local communities.

What does it all mean?  Where are things headed?  How will the rubber meet the road?

Virtru CMO, Matt Howard sits down with Ryan Murray, Deputy CISO for the State of Arizona to explore the background of SLCGP, understand its unique requirements, and learn how State IT and cyber leaders are coordinating with local government counterparts to secure SLCGP funding and help strengthen our nation’s cybersecurity.

[HOWARD] Good afternoon. My name is Matt Howard. I'm the chief marketing officer for Virtru. I'd like to welcome all of you today to this very important and definitely timely conversation about the state and local cyber grant program, also known as SLCGP. It is a topic that is on a lot of people's minds these days, especially IT and cybersecurity leaders across the country. We are incredibly fortunate today to be joined by a really smart, talented executive at the state of Arizona, Ryan Murray, who's the deputy CSO for the state. Ryan, welcome and thank you for being here. 

[MURRAY] Yeah, Thanks. Thanks so much for having me, Matt. Really appreciate it.

[HOWARD]  Very much. Excited for the conversation. So Ryan, in addition to kind of chatting with you and getting your thoughts on gp, I just want to let the audience know that we're going to share a few polling questions together, feedback from all of our participants today. So please be on the lookout. And when the polling questions are put on the screen, please be ready to provide your responses. It'll be super helpful for all of us as we continue to gather context on what SLCGP means to various constituents. Furthermore, I want to really encourage our audience that's out there listening to the conversation to please ask questions. There's a simple chat window in your control panel. Just type your questions in there, and we will do our absolute best to get to those questions as they're asked. And then finally, to set some context, as we get ready to kick this thing off, I just want to basically remind everybody that when it comes to cybersecurity and state and really local government, you know, three things are true. One, they generate and share a disproportionately large amount of information, really sensitive information. Furthermore, they in particular the local governments, really lack resources necessary to kind of invest in modern cybersecurity, governance and controls. And the last thing that's sort of I think most sobering perhaps, is the fact that they are increasingly being targeted and indeed victimized by malicious cyber attacks. But, the good news and that's why we're here today, or so it seems, is on the way. And that's that good news is the SLCGP, which itself is a key provision of the infrastructure and jobs bill that was passed back in November. And it's the first of a kind federal grant program that will provide $1,000,000,000 over the next four years to state governments, where those state governments then will be required to funnel, I think, 80% of those dollars down to local community governments to help strengthen cybersecurity capabilities in our communities. So as context, Ryan, you know, before we kind of get into the specifics of SLCGP, I thought we'd take a few minutes and get your perspective on the recent past and sort of just take a step back and think about where this country was and perhaps more specifically where certain states like Arizona were in the last five years prior to SLCGP in the face of this cybersecurity risk, which we're all so familiar with. 

[MURRAY] Yeah, for sure. So, I mean, obviously, this is a thing that's been going on for years now. We're seeing the threat increase. We're seeing the digitization of state and local government continue to increase. We're seeing because of that, the increased vulnerability and attack surface across all of our environments. And realistically, it's something that I don't think any of us were prepared for, especially as we went into COVID and everyone starting to work from home or work remote, it really drastically shifted our protection capabilities and something that we've been doing here in the state of Arizona, I think we were ahead of our time here on this, is that we started providing some additional services out to our local governments approximately four years ago, utilizing some federal funds at the time, starting sort of small. We talked about what would be the biggest priority. Right? so we know we couldn't cover everything. We know we didn't have the capacity and funding to do everything for everyone at the time. So what's the biggest bang for our buck? And it was just sort of a no brainer looking at security awareness training, something that we and our governor mandated here in the state of Arizona for all state employees, similar to other HR training or payroll training or harassment training, all state employees are now required to do cybersecurity awareness training every year, as well as we're required to do phishing campaigns against all of our employees every year. 

[HOWARD] And this has been a requirement for how long? 

[MURRAY] For three years now, I believe. Three or four years. Yeah so it's something that we've definitely seen a significant benefit, right? We're building that culture of security across the state of Arizona. So when it came to looking at how we can help support our locals better, that was sort of the first thing that we said. This is a no brainer. Let's get this out there as much as we possibly can. Something that my boss is really fond of saying is we took our small team of 16 cyber professionals and turned it into a team of 36,000 across the state right now. 

[HOWARD] I remember when you shared that with me and thought, what an incredibly simple way to think about scalability for something like this. 

[MURRAY] Right.

[HOWARD] And it kind of speaks to the concept of it is a village, so to speak, or in more specific terms. It's a whole state approach.

[MURRAY] 100%.

[HOWARD] Could you comment on that? 

[MURRAY] Yeah, absolutely. So, I mean, the big piece of this is instead of looking at all of our employees, all of our users, all of the people that we do business with as potential threats, they are now cybersecurity professionals. They're now cybersecurity sensors. They are now gathering telemetry for us and sharing it with us. And helping to spread that culture across the state. And the comment at the time, like I said, was turning 16 to 36,000. But realistically, we're trying to turn that into, you know, 100,000 or 360,000. Right? So pushing this out across the state, we're now starting to target all of our cities and counties, all of our K-12 school districts, our tribal nations. Let's start having them build up that same culture of cybersecurity that we've established here in the state of Arizona. 

[HOWARD] So so let's say four years ago, well in advance of SLCGP, as we now know it, the state of Arizona was embracing, I think what you called a CGP, but but really kind of doing some innovative things at the time to kind of build coordination, collaboration and partnership with your constituents, your counterparts and local governments and local communities. How does that manifest on a practical level? What does that really entail? 

[MURRAY] Yeah, for sure. And realistically, it's been growing over the past few years, right? So we started out four years ago with let's just do security awareness training, let's do the bare minimum to try to protect our people. But now a year, three, three years ago, what else can we add to this? And we started talking about protecting our endpoints and protecting our internet facing web applications. OK, now let's start looking at how we get a little bit more advanced here? Let's look at what CISA is telling us to do. What are the best practices to just do the bare minimum to protect your devices and your agency? So we said let's push MFA out across everything, everywhere. So we started deploying multi-factor authentication capabilities and tokens for our local government entities as well as internal at the state. And then more recently, so starting just this year, we're really ramping this up to 11 and this is even prior to SLCGP becoming a thing or really manifesting as a real support for the state and local governments is our governor's office and with some really drastic help from Governor Ducey himself, has essentially said, look, the SLCGP is great, but let's do more. So we've turned the Arizona cybersecurity program into what we're calling the cyber readiness program and providing additional support across the entire state of Arizona. So, these four things that we started four years ago, Social Security awareness training, advanced endpoint protection, multifactor authentication and web application firewalling. We've added a fifth service this year with what we're calling converged endpoint management. So all of the other things that you want to do on an endpoint, whether that's performance monitoring, vulnerability scanning, policy enforcement, patching, software deployment, etc.. So, these five services with support from the governor's office and the executive branch, we are now blasting those out across the entire state of Arizona for all of our cities, all of our counties, all of our k-12 school districts, for anyone that wants to take advantage of them. And the real kicker here is this is all no cost to them. Right? So this is taken on the bill at the state of Arizona, utilizing our economies of scale, our ability to buy more licenses, getting that best bang for our buck and taking care of our taxpayer dollars and using them the best and most efficient way that we possibly can. And then providing those services out to those local government entities that wouldn't frankly be able to utilize these services if they were to try to buy them on their own. 

[HOWARD] Yeah, I mean, it makes perfect sense. I remember when I first had the opportunity to meet you and sort learn a little bit about the journey that the state of Arizona has been on with respect to its cybersecurity maturation process and just kind of reflecting as a taxpayer based here in Washington, DC, how much of the patterns and best practices that you guys had been working to implement there kind of serve as a proxy, if you will, for some of the same concepts that are inherent in SLCGP as the federal government now sort of sets ready to provide year 1 funds out to the states. And so with that in mind, let's shift gears and sort of change our scope of conversation from the recent past to the present and take a quick look in the mirror, if you will, and reflect on where you might be in the state of Arizona versus where some others might be with regard to sleep. Before I get you to comment, though, I want to have Carissa put up a couple of quick polling questions. There are two in particular. I'd like to put up the first one. Carissa, if you can put it up please, is , What is your state's SLCGP filing plan for November 15th? So that's the deadline for filing for funds. Is your state ready to submit an application for year one funds? Are you actively working to file an application on time by the 15th? Are you just simply not ready to file but planning to ask for some type of an extension? Or are you not planning to file at all for year one funds? I'm curious what our audience might say in response to this question, so I'll just give it a moment here, Carissa, and then we'll go ahead and put up the results. Actually, why don't we hold the results for a moment? If you can, why don't we go ahead and close that poll and open up the second question quickly? The second question I'd like to just ask the audience is with respect to the details of the SLCGP, it's obviously been much talked about, much written about here in the recent weeks since the Notice of Funding was made public. How well do you think your state IT leaders understand the details of SLCGP? Entirely? Partially? Or not at all. So given a moment for our audience to answer that question, we're going to hold these results for just a few minutes and then we are going to reveal them after we get some context from Ryan. So you can take that down, Carissa. And Ryan, what I'd like to do now is kind of get a sense from you as you sit here today, like, what's it really like to be in your shoes, doing your day job? How much time are you and your staff right now spending thinking about SLCGP? Are you literally running around with kind of the hair on fire, getting ready to file your application, putting your ducks in a row? You know, do you have a sense for what you're hoping to achieve with respect to this year's funds if you do indeed get what you're looking for? And how do you think Arizona might be a little bit different from some other states that are planning to take advantage of SLCGP funds? 

[MURRAY] Yeah, absolutely. And I would say we're probably ahead of the game here. Right so we've been doing this whole of state approach to cybersecurity, which is sort of what the SLCGP is driving at and pushing states to do is look at this from a holistic perspective for how you can help support your locals. And something that I think that is sort of unique with SLCGP is DHS is very heavily encouraging the states to provide state centrally supported services for their local government entities as opposed to giving dollars out to those locals, which I think most of the previous FEMA and DHS dollars specifically focused on cybersecurity and Homeland Security have been basically give them dollars to go do their own projects. We're now we're starting to see this shift where centrally manage everything, do everything at the state level and help provide those services to those locals. And obviously, we're doing that writ large here in Arizona and have been for several years. Something that my boss is very fond of saying is that cybersecurity is a team sport, right? That this is something that we all have to participate in and that an attack against one of us in Arizona should be seen as an attack and against all of us in Arizona. And that includes all of our local governments, all of our private sector companies. We should be looking at this from a holistic, really, truly whole state approach. And fortunately, I believe we are ready to submit our application by that deadline where we're finalizing our draft right now, of the cybersecurity plan. That's a requirement of that application, something that you may that you're, I'm sure aware of and our listeners are probably aware of, is that all of the planning that goes into SLCGP has to be run through a statewide cybersecurity planning committee made up of local government entities, state agencies, K-12 school districts, public education, public health sector. So all of these entities need to come together and basically agree that this is what we want to do on a statewide level. So we're really building that collaboration into the process to hear directly from those people that are going to be most benefited and most impacted by SLCGP on what they really need. And something that we're really trying to drive is, look, we've been doing this in Arizona for a while now. Let's let's take this additional I think we're getting $3 million as part of SLCGP for the year 1 funds. Let's take that $3 million and use it to augment and improve what we're already doing, whether that's buying more licenses, buying more functions for the products that you at the local level are already using, or maybe add some additional services to those sorts of things. Right? One of the number one concerns that we've heard from a lot of our partners at The local level is the tools are great, but I don't have staff or resources to run the things that we already have in place. So how do you get me help to actually manage this big cybersecurity thing? Give me these tools. That's great. But I also need some additional help and actually managing them and running them once I get them. 

[HOWARD] So the shared services model back to scalability. I mean, you know, ultimately one thing certainly is true in the commercial industry is a lack of IT talent or a lack of cyber talent. It's pervasive. I think it's probably even exacerbated in government and perhaps even more so in local government to the extent that you can provide shared services, type support and coordination with those local communities seems to be a logical opportunity to scale in, to your point, get more bang for the buck. Is that how you see it? 

[MURRAY] Yeah, exactly. That's that's know, that's right on the money. Right not to use the pun lightly there. But realistically, we're trying to crowdsource the heck out of the support. Right so if we're all using the same tools, we're all trying to solve the same problems, we're all seeing the same threat. Actors do the same things against us. We're all communicating, collaborating with each other on what that solution looks like. So if a small city in southeastern Arizona is getting attacked with something and they're using the same tools that the state of Arizona is to defend themselves, they can reach out to us and say, look, this is what we're seeing. What do I do with this? How do I defend against this? And then we can take that same information and share it across the rest of the state with all of our local partners. And then also share that up and down the stack with other states, with our national and federal partners, so they can build out that total operational perspective of what that looks like across the nation to help better defend everyone. 

[HOWARD] And what about so where would you put schools at? Through K-12 schools in that community? 

[MURRAY] Yeah, they're right there with us. Right we consider them part of the same club with all the rest of our local government entities. And I think historically they've kind of been left behind. Right one, they're significantly underfunded across the nation, just sort of as a baseline to the typical funds that they get for school districts come through e-rate, which specifically does not cover cybersecurity protections. So that's sort of another thing dropping them behind. And then three, the other funds that have typically come from the federal government, whether that's through UASI, the urban area security initiative or the Homeland Security grant programs specifically did not cover K-12 school districts because they didn't have a focus on Homeland Security at the time. So we made this a specific focus as part of our cyber readiness program, as well as ensuring that was included as part of SLCGP, because we know that they're seeing the same threat actors attack them, the same nation state actors, the same cyber criminals. And they're woefully unprepared to defend against those, just like other local governments. 

[HOWARD] So again, one of the things I sort of just me personally kind of getting smart about this topic across the country, not just in Arizona, was just reflecting on how state governments are often organized and distinguish between something like IT and cybersecurity and something like law enforcement. I'm curious to get a little bit of a sort of picture from you in terms of how Arizona has actually organized itself with respect to the State Department of Homeland Security and the CISO, I believe your boss, who is in fact a cabinet member and has sort of a unique set of responsibilities that potentially helps position you guys as a proxy for maybe how cyber becomes, let's just say, more integrated into the way we think about modern law enforcement. 

[MURRAY] Yeah, 100% So I think we're the only state in the nation where our enterprise cybersecurity team reports underneath the Department of Homeland Security within the state. I think New Jersey. New Jersey is the other one that does it this way. But historically, cyber has been seen as an IT problem. So the CISO reports to the CIO who reports to an assistant director or a director who then maybe has that person report up to the cabinet. And we really wanted to turn this on its head here in Arizona. So essentially, Governor Ducey said that cybersecurity is Homeland Security. Right? This is not a separate function and this is something credit where credit is due. The federal government actually was sort of on the cutting edge of this right with establishment of CISA several years ago, where they said that the Cybersecurity and infrastructure, infrastructure, security protection is absolutely a function of Homeland Security. So we're going to establish CISA, the cybersecurity agency for the nation underneath our Homeland Security department. So sort of taking a page out of that, we decided this is exactly right. So this can't be seen as just an IT problem anymore. And realistically, your state CIO and your state, CISO, need to be sitting at the same level, talking the same talk, working with each other. It can't be a subordinate relationship where you're funding, fighting for funding from both an IT and a cyber perspective. And something that, as mentioned, that we're sort of unique here is our director, who is the director of Homeland Security here in the state, essentially brought the entire cybersecurity with him, entire cybersecurity team with him. When he became the director, he maintained the state CISO title. He is now the director of Homeland Security, sitting on the cabinet with the governor's office. So having that elevated position, that elevated mission and that elevated voice.

[HOWARD] Have two hats.

[MURRAY] Right exactly. And being able to see it from both perspectives. Right so having that cyber perspective as well as all of the other Homeland Security initiatives and missions that function within the state. And obviously, Arizona is a border state. So that's very heavily top of mind and something that Homeland Security is heavily involved with. There's the drug crisis happening across the nation. We've got other issues that our Director has to focus on, which is one of the main reasons I exist in the first place, is so I can focus solely on the cyber mission. But realistically, it's something that's sort of unique here in Arizona, having that elevated perspective and that elevated voice to be able to take that directly to the policymakers and executives who can help drive that mission. 

[HOWARD] Yeah, it makes sense. I mean, I think to your point, I couldn't agree with you enough about CISA and the federal government. You know, I think Jen Easterly and her team are doing really amazing work. And as a taxpayer in this country, just thinking about the threat that we collectively face as a nation, I'm really glad that they're on that sort of mission and frontline doing what they're doing and working more closely than ever with state partners and really, quite frankly, glad to see states like Arizona doing what you're doing to coordinate more closely with your local counterparts. So, Carissa, if you don't mind, can we go ahead and please put up the results from the first polling question? I'm curious to sort of see what is the answer? Interesting. So we have a few folks that are ready to go like Arizona, we have the vast majority apparently not ready to file, but planning to ask for an extension. And then a few folks that are not planning to file for year I funds. So that's an interesting lens on things. How about the response to the second question? Curious, Ryan, were you surprised by that, those results, those initial results to question one? 

[MURRAY] I'll say no, not at all. That, that is right in alignment with all the other state CISOs that we've been talking to. The majority of them have said that they are not ready. And this is partly, you know,no talking trash to the federal government. But this is partly because of the disorganization and short timeline that we were given to actually put together the application. The NOF was only released a couple of months ago and then really short runway to get the full application. And cybersecurity plan submitted and approved through the State planning committees and then finalized as part of the application later this month. So I'm not surprised at all. What's sort of interesting is that last option that people have said that they are just not filing at all for these funds. And I think that's directly related to just how complicated and disorganized and confused the whole application process and notice of funding has been. There's a lot of questions that remain to be answered about this program. And it's something that we're planning to apply for because I certainly can't leave money on the table and then go talk to my legislature and ask them to give me more money. But I absolutely understand the other states that have essentially said, look, it's not worth the hassle for us to go through this. 

[HOWARD]Yeah and that's a really good segue to these results that we're looking at here where where, you know, what percentage of people, you know, state leaders do you think entirely understand versus partially or not at all? I mean, yeah, to your point, more questions arguably than answers at this point, which is why 67% of the respondents are saying partially and with 17% not at all. You can kind of see, let's just say, room for improvement in terms of clarifying and simplifying the communication, in terms of how the program works, giving people time to kind of take full advantage of it. And the like. So thank you for that. What I want to do now is kind of move the conversation to kind of a look at the future and what's ahead. So what do you intend to do with $3 million from SLCGP? And as I understand, I think 10% there's a 10% match that the state of Arizona has to contribute as well. So those dollars coming into your purview, what does the whole State look like for Arizona with an additional $3.3 million? How does the money get spent? What are your priorities? How do you coordinate with the local community to determine those priorities? And yeah, what if you want to do something that they don't want to do or they want to do something that you don't, how does that all sausage get made? 

[MURRAY] Yeah, for sure. So just kind of talking about year one, right? I know this is being billed as a once in a lifetime, lifetime opportunity to shore up cybersecurity across the entire nation. But realistically, when you look at it, that billion sounds great, but then you divide it by 4 years and divide it by 56 states and territories. And, you know, this year we're getting $3 million. And you spread that across 15 counties in the State of Arizona, across 200 school districts, across 200 plus cities and towns and other municipalities, that money disappears very, very quickly. So it's not quite as life shattering and earth shattering as the federal government would like us to believe, which is part of why we've decided to do some of this stuff on our own. Right so you're right year one, we're realistically looking to take those dollars and augment and add some additions to what we're already doing here in the state. Future state for what we're looking to do with those additional dollars is just try to do more, right? So we know that these five services that we're providing now don't cover every potential security risk across all of these local governments. So this really needs to be a collaborative effort with those local governments. It needs to be an open line of communication with the community to talk about what are our next priorities and whether that's aligning to the NIST cybersecurity framework, whether that's looking at other frameworks like the CIS critical controls, how do we prioritize, what do we look at next. And what controls do we want to add that can greatly reduce the additional risk across the state of Arizona? And to your point that the 10% that's only this first year, so 10% match of $3 million, 300,000. My expectation is the states just going to eat that in year one, right. Trying to figure out how we're going to charge back local entities, figure out some sort of reimbursement process is just a headache that no one wants to deal with, especially in such a short runway between now and next week when we need to submit the application. So year one, we're probably just going to eat this at the state level. Year two, this gets complicated, right? Because not only does the amount that we're receiving increase, but so does the match percentage. So it goes up to 20% next year, 30% the following year. And the values that we're talking about is I think we're expecting around like 6 and 1/2 or $7 million by year 3 and a 30% match of $7 million. I suck at math, but, you know, that's way more than $300,000 in the year one. So having that conversation with our legislature of I need an additional $3 million or whatever to be able to match this percentage from the state, from the federal government. Is that something that we want to do or do we need to change tack here and say this is something we need to figure out another mechanism to either charge back those local government entities or figure out some other way to come up with those funds. Or is it just not worth it? 

[HOWARD] And is there an inherent sort of additional value to your whole of state approach would make the conversation with the legislators that much more easy, which is, no, this is a whole of state thing. So we do need the dollars. And the reason we need the dollars is because it's a match against SLCGP funding. Again, perhaps not everybody is in that same sort of position, but it is interesting to kind of reflect on the complexity of how you work to get the funds and then put them to work not just now, but in the coming, you know, four years, because over time there's work to be done to take full advantage of the program. 

[MURRAY] Yeah, you're talking different legislators across four years, different governors across four years, priorities and things could shift by the time we get to year four of this program, right? 

[HOWARD] Yeah, 100% And one thing I'd love to get your thoughts and comments on quickly, you mentioned earlier in the conversation about the work that you were doing pre-SLCGP, kind of just on a best practices basis in your whole state approach. I think you said identity and MFA was kind of a key element of that. The endpoint was a key element of that. Networks and firewalls were a key element of that. But what about data, like how do you think about data in particular, sort of the sensitive sharing of data across organizational boundaries, for example, a school system sharing an IEP with a parent. I mean, how does that kind of come into play? 

[MURRAY]Yeah, for sure. I mean I mean, this is critical, right. As we talked about earlier, these entities have a ton of sensitive data and being able to protect it, both where it lives and as it's transmitted across any of these sharing boundaries, it's going to be important. And it's something that's specifically called out as a component of the SLCGP that we can potentially provide. So something that we've looked at, obviously well, maybe not, obviously, but we're here today talking to you, Virtru. You know, the state of Arizona is a customer and we're utilizing Virtru to protect State data within the state agencies. So as we look to further future state's further future years of what this program might look like, obviously this is top of mind of how do we potentially protect all of that sensitive data, not just where it lives on each of these endpoints, but a lot of people are putting data in the cloud now, which doesn't really bode well for significant endpoint protection. How do we protect that data when it's no longer on any of the assets that we own and control? And I think obviously there's some significant opportunities there. 

[HOWRD] Yeah and for sure. I mean, and you know, sort of just speaking on behalf of Virtru, we are not naive at all. I mean, we understand the complexity of being sort of positioned on your front foot with cybersecurity best practices. It is a big, complicated endeavor. It is a lot of pieces of the puzzle, so to speak. And clearly identity and multifactor is a critical one. Clearly endpoints is critical. Clearly network and applications are both critical. And yeah, data itself is arguably kind of this historically a little bit of a tail wagging the dog. But increasingly, as people come to grips with the fact that data is the thing that ultimately is what attackers want, you're starting to see governance and policy controls kind of move to the data, which is compelling for us as we look to kind of continue to grow our partnerships, our partnership with folks like you and others across the country and state and local communities. So, you know, from that perspective, let me shift gears to polling question number three, Carissa, if you could please put that up, that would be very helpful. This is a year one from funds from SLCGP will be used for one or more of the following. Establish a cybersecurity planning committee to the extent that you don't already have one. Develop a statewide cybersecurity plan or revise the current one to the extent that you might use dollars to help fund that.Conduct assessment and cyber readiness evaluations and/or fourth, adopt key cybersecurity best practices to the extent that you're filing for year 1 funds. Please let us know how you would intend to use them. So I think we can go ahead and close that poll now, Carissa and ask the. Actually, let's go ahead and let's go ahead and see those results, if you don't mind. Interesting Ryan, I'm curious to get your thoughts on that. 

[MURRAY] Yeah, I mean, realistically, I don't want to waste money on planning to plan. Right so we've already got our planning committee established. We're already neck deep and working on that cybersecurity plan, that strategic plan that we've been working off of for the past four years. So ideally, we would use these funds to conduct those assessments to understand the risk across the state and then adopt those protections. So I I'm not super surprised by this, but I guess the fact that the majority of people are either in objective one or objective two here, again, not super surprising given this is sort of unique what we're doing here in Arizona, but also with the really short runway to get this program off the ground. 

[HOWARD] Yeah, it's almost a perfect bell curve. I mean, you look at this and you sort of imagine there's certain states that are really advanced and sort of well prepared to respond to the SLCGP. There are others that are at the opposite end of the spectrum who are less well prepared and maybe just really kind of getting a grip now and then kind of everybody in between. I think that makes sense. Let's move on to the final poll question. And to the extent to your point, Ryan, to the extent that you're in a situation to do use funds to do the assessment, to identify risks so that you can subsequently put dollars to work to adopt best practices. If you're planning to take these funds again, whether year one or beyond, you know, ideally, how would you imagine your SLCGP funds being put to work? Which of the following best practices would be prioritized? Multi-factor authentication, enhanced logging data, encryption for data at rest and in transit, deprecate legacy systems and software, or prohibiting the use of known fixed default passwords, all of which were called out as best practices within the SLCGP notice of funding. So I'm curious to sort of see what the audience has to say with respect to this question. And if you don't mind, Carissa, why don't we go ahead and put up those results? Interesting. Ryan, your thoughts? 

[MURRAY] Yeah no, I mean, these are all the critical things, right? I'm sort of surprised, but I guess not super surprised that deprecate legacy systems and software was a little bit higher up on the list, partly because that drives a lot of the other vulnerabilities in environments. Right? But obviously, those top three are maybe a little bit easier to find tools to just deploy the bottom, to require a lot of hard work that you can't just throw a tool at the environment and hope it happens, right? 

[HOWARD] Yeah, 100% There is no doubt that passwords are a problem. And in the modern world, I think some very large percentage of real world breaches are due to some type of weak password. So I'm a little surprised by that myself. More broadly, I think that sort of generally makes sense and sort of, you know, the distribution, again, sort of highlights the fact that this is a complicated big ball of wax with lots of different pieces of the puzzle that ultimately have to be considered when you're putting best practices to work to improve cybersecurity hygiene. So Thank you, Carissa. So Ryan, one last question about the future. If you, as you sit here today ready to submit your application for year one funds, you know, given what you've observed in the State of Arizona over the last four years, given what you've learned in conversation with or anecdotally from colleagues and others in state governments across the country, how would you assess our current posture as a nation from state and local government cybersecurity perspective? And what can you imagine us accomplishing in four years' time as a result of SLCGP? 

[MURRAY] Yeah, for sure. Well, I'll start off with the depressing line because I think we again, we're woefully unprepared to defend against nation state actors, sophisticated cyber criminals, and there they are continuing to get better at what they do. And we have stagnated in our defensive capabilities. So I would say that currently we're in a pretty sad shape across the nation. Arizona, I think we're starting to do better, but obviously we've got a long road to go. My my sort of unicorn utopia vision for this is we're all well protected against all of these common attacks, against all these common vulnerabilities. We're all sharing information with each other about what those look like. And essentially, Arizona becomes an impenetrable shell in state and local government, as well as our private sector. Right because our citizens are doing a lot of business with our businesses here in Arizona. So how do we expand that out to be able to protect everyone everywhere and really looking at it from that truly whole of state approach? I guess to be more hopeful, I think that this is a good step in the right direction. Right so SLCGP at least acknowledges that there's a problem that local governments have been underfunded, under-resourced and under-capable for a very long time when it comes to this cyber threat. And at least this indicates that the nation, the federal government, the administration and those departments within really understand that this is something that we need to focus on as a critical priority. I don't think SLCGP is going to be the solution to it, but I think it's a good step in the right direction. Part of that's going to be because, one, we have no idea what one the threat landscape is going to look like in four years. And two, we have no idea what the political landscape is going to look like in four years. And three, this money runs out in 4 years. So state and local governments are going to have to find a way to fund these things that SLCGP is paying for currently when the money goes away after the end of this program. And that's something that hopefully between now and the end of this four years, we can have that conversation with our legislatures, with our executives, and let them know that this is a critical thing that states and local governments need to devote funding to actually continue the support of these programs. 

[HOWARD] Yeah, 100% So I have a question. You made a comment about the impenetrable, impenetrable shell, sort of a utopian vision for the future. As you know, being sort of a cybersecurity expert yourself, is that the right way to think about it? I'm curious, because so much of the world's conventional wisdom these days, if Zero Trust security architectures are to be believed as best practice, is there not a different view that might imply, well, the shell is going to be penetrated, we are going to assume that we've been breached, and therefore what we need to do is effectively get more granular in our "controls" because we can't possibly become impenetrable. We have to sort of recognize that and be more dynamic and granular and responsive to the inevitable, which is the breach has already happened and you don't even know it for sure. Thoughts on that? 

[MURRAY] Yeah yeah, for sure. And I think you're absolutely right in current day and age, right? Like if we're talking current state of things, current protective capabilities and current ability to ward off defenders. Absolutely, that is unrealistic. Right? That hard outer shell of my network is no longer a reality that we can rely on. But I think as we develop protecting our users, as we develop protecting our endpoints, as we develop protecting our data. Yes, absolutely. And I hate the terminology zero trust. No offense, but really looking at those assumptions of trust between all of these things, our systems, our people, our data, and how do we best protect those? I think we can absolutely at least make it way more difficult for attackers, for these threat actors to try to come after Arizona and frankly, they'll go elsewhere. Right that old adage, which I don't really agree with, but I just need to be faster than my friend when we're being attacked by a bear. Right if we make Arizona, let's say, financially unfeasible for attackers to go after, they will stop, for the most part, coming after us. And as we start looking more and more at let's put people behind bars, let's start looking at convictions. Let's work with law enforcement to share information with them. Let's let's start taking some drastic actions here to get rid of these cyber criminals and cyber threat actors versus just trying to play whac-a-mole constantly. So I think we absolutely have the ability to do that, not looking at it as sort of, look, Arizona is going to be impenetrable and we're never going to have a data breach ever again. But I think there's absolutely some opportunities here to provide those protections, to make it unfeasible for threat actors to do significant damage or significant harm to both our public sector and our private sector and our critical infrastructure. And, you know, hopefully that's a reality sometime in my lifetime. 

[HOWARD] Yeah, for sure. So I think we have time for one final question that's been asked. How do you mention the perimeter is vanishing. And arguably, I think that's something a lot of people in the industry reconcile is so much of our IT systems and infrastructure have moved to public cloud. What what's your thought on public cloud service providers, infrastructure. How does that play into the broader picture of your cybersecurity hygiene journey or for lack of a better term or zero trust security transformation? What about the public cloud? What does it mean to you guys? How do you lean on it? Is there thoughts or comments you could share? 

[MURRAY] Yeah, absolutely. So we've had a cloud first policy in the state of Arizona for three years now. I want to say 2021, all state agencies were essentially required to be moved to the cloud and out of any state owned data centers. So this is something that's been really at the forefront of our current CIO and our previous CIO and our current CISO and previous CISO for several years now. And we rely heavily on public Cloud Infrastructure. 

[HOWARD] So is it because of cost or security or both? 

[MURRAY] So so both realistically. Right? If you look historically, state data centers were closets, basements, things that were not designed to be secure infrastructure in the first place and they weren't well maintained or well run. So looking at that from the perspective of both a cost and security perspective, it just made sense to give this over to someone whose sole purpose is running a sophisticated tier three, tier four, data center right, AWS, GCP, Azure. They all do cloud and Infrastructure Security way better than a very small board in commission in a state or local government will ever do, plus the economies of scale being able to purchase this at the state level and provide it out for the locals and for our state agencies. It just makes a ton of sense from both sides. 

[HOWARD] Yeah, 100% Well, listen, I have thoroughly enjoyed the conversation. I know you are incredibly busy every day, every normal year, but in particular right now, as we get ready to collectively sort of file for SLCGP funds on November 15th, it's been really fun and fascinating to see how Arizona in particular has kind of progressed to this point, ready for SLCGP and maybe ways that other states aren't. So kudos to you and your colleagues and your teams for that. And thank you again for being here today and for your willingness to share your expert perspective. I know that people out there are thinking a lot about this topic, and I know I've learned a lot from you and I imagine others did as well today. So Thanks again. 

[MURRAY] Yeah, absolutely. Thank you so much for having me. Obviously, this is something that's a passion of mine. I'm always glad and grateful to be able to talk about what we're doing here in Arizona. 

[HOWARD] Fantastic Thank you again. 

[MURRAY] Thank you so much. 

[HOWARD] Thank you, guys.