Presented by
Cybersecurity strategy often lives at a high level—defined in policy documents, executive orders, and statewide frameworks. But the real challenge for state governments is turning that strategy into operational capability. Alyssa Zeutzius, Deputy Chief Information Security Officer for the State of New York, and Michael Geraghty, CISO and Director of the NJCCIC for the State of New Jersey, provide a clear picture of what that transformation looks like in practice.
For New York, the foundation began with the development of its first-ever statewide cybersecurity strategy. Alyssa Zeutzius explains that the intent behind the strategy was not to centralize all responsibility, but to define how cybersecurity is shared across agencies. The framework outlines five pillars and assigns responsibility across multiple entities, recognizing that cybersecurity is inherently a team effort. Rather than forcing a one-size-fits-all model, each agency takes ownership of a portion of the strategy and adapts it to its operational environment.
New Jersey has taken a similarly integrated approach through the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Michael Geraghty describes the NJCCIC as the state’s “one-stop shop” for cybersecurity, serving not only state agencies but also local governments, schools, critical infrastructure, and even small businesses. Over the past decade, the organization has expanded both its scope and its capabilities, reflecting the growing complexity of the threat landscape.
One of the most important themes from both leaders is collaboration across state lines. Despite differences in governance structures, New York and New Jersey face many of the same cybersecurity challenges. As a result, they have built a strong partnership based on trust, allowing them to share best practices, exchange threat intelligence, and coordinate responses.
This collaboration becomes especially critical during major events. Planning for the World Cup, for example, requires coordination across dozens of organizations, including transportation authorities, utilities, law enforcement, and local governments. Zeutzius emphasizes that planning begins well in advance, focusing on dependencies, roles, and incident response procedures. Geraghty adds that more than 70 organizations are involved, with regular coordination and 24/7 operational readiness during the event itself.
Geraghty frames this concept as a “cyber neighborhood watch,” where information sharing helps prevent incidents from spreading. If one organization experiences an attack, others can be alerted and take steps to protect themselves.
Breaking down data silos remains a challenge. Zeutzius notes that while systems are often inherently separate, states are working to improve both technical integration and process alignment. By ensuring that decision-making involves the right stakeholders and that systems are designed to share information where appropriate, states can reduce fragmentation and improve overall effectiveness.
Artificial intelligence is beginning to play a role in this evolution. Geraghty describes AI as a force multiplier—one that can benefit both defenders and adversaries. While it enables faster processing and automation, it also increases the speed and sophistication of attacks. States are responding by establishing governance structures and ensuring that AI tools are deployed in controlled environments.
Workforce development is another critical component. New York is expanding its security operations capabilities and bringing in talent from federal and non-governmental organizations. New Jersey, meanwhile, is investing heavily in internships and partnerships with universities, building a pipeline of talent that supports both public and private sector cybersecurity.
At its core, this conversation reinforces a simple but important truth: cybersecurity is not solved by strategy alone. It requires coordination, communication, and continuous adaptation. By operationalizing strategy, sharing information, and building strong partnerships, states like New York and New Jersey are creating a more resilient cybersecurity posture.