Arizona CISO Tim Roemer Leaves for Cyber Training Company

Read Original Article Written by Jule Pattison-Gordon from

While state CISO, Roemer confronted struggles to find and hire cyber talent, and sought to make cyber awareness trainings more frequent, robust and widespread. He now joins a private company focused on both those areas.

Tim Roemer has stepped down as Arizona’s CISO and director of Homeland Security and moved to the private sector, he announced on LinkedIn today. Roemer joined cyber skills training and awareness services provider ThriveDX as its president and general manager of Public Sector.

Roemer spent 18 years in the public sector. He told Government Technology that he decided last year that he would switch to the private sector once former Gov. Doug Ducey’s tenure ended.

At ThriveDX, Roemer will take a different angle to tackling some of the cybersecurity challenges he’d wrestled with while at the state.

“Having that talent pipeline to be able to recruit and retain cybersecurity talent” was one of his greatest challenges as CISO, Roemer told GovTech. “Two of the biggest areas that will give you the best return on investment and make the biggest difference in cybersecurity … are training up the quality and quantity of our cybersecurity workforce nationwide. We simply don’t have the talent and the numbers, the resources out there.”

While with Arizona, Roemer was able to add six new cyber positions. But his recruits came from other government entities, leaving vacancies behind them in entities like the Department of Corrections, Department of Revenue, National Guard and the city of Phoenix, he said.

Shuffling the cybersecurity workforce like this leaves gaps: “In cybersecurity, one organization steals an employee, and then another organization gets hit because they don’t have the adequate workforce.”

Roemer said the talent pipeline needs to be widened through trainings and upskilling and reskilling offerings, especially those that can reach beyond traditional candidate pools to bring more diverse perspectives into the field.

Online boot camps are a fast way to train up new entrants to the field and can be a more accessible option for those whose circumstances may not suit studying at university, Roemer said.

“There’re great university cybersecurity programs out there, but they’re not producing enough students every year to be able to make a dent in the actual number of cyber vacancies around the country,” Roemer said.

As for upskilling, virtual employee trainings can be easier to schedule than those that require staff to go on-site to cyber ranges.

It’s not just the cyber professionals who need more training options. Any staff members’ slip-up could give attackers an advantage.

There are plenty of ways for mistakes to occur, Roemer said: “It’s an account compromised by poor cyber hygiene. It’s somebody clicking on a phishing email. It’s somebody at the working level who didn’t patch or misconfigured a firewall or any number of things that are human error.”

As CISO, Roemer mandated cybersecurity awareness trainings for all state employees, and upped the frequency and difficulty of phishing tests to keep everyone vigilant.

Organizations also need to stay on top of evolving social engineering tactics. That now means looking beyond just email-based phishing to also raise awareness about similar schemes sent through text message, a ploy known as smishing, he noted.


Roemer was appointed CISO in 2019. As he looks back at his tenure, he’s particularly proud that the state grew its cybersecurity team, took a whole-of-state-government approach and established the state Cyber Command center.

The state also put a spotlight on cybersecurity and brought it under the umbrella of homeland security. That shift saw Roemer gain the unusual distinction of heading the state Homeland Security Department while also retaining his role as CISO. His successor at Homeland Security may not follow in this path, however, and could appoint someone else to the CISO position, Roemer said.

If Roemer were to give advice to the next CISO, it would be to listen to other agencies that will be impacted before making decisions, and to avoid feeling wedded to vendors that are no longer meeting needs.

“There’s a lot of government organizations out there that are afraid of change, because it’s time-consuming to learn a new tool. It’s time-consuming to go through a new procurement process,” Roemer said. “[But] if one tool isn’t providing you the service that you need and the caliber that you need, you have to re-compete that — you have to give somebody else a shot.”

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content