Cybersecurity is at the forefront of modern government operations, impacting everything from national defense to disaster response and healthcare delivery. In this Q&A, Rebecca Cradick, Global Communications leader at Armis, speaks with one of our Federal Advisory Board (FAB) members, Rob Thomas. Their conversation was part of the Armis Bad Actors podcast series, highlighting the issues and technologies shaping the cybersecurity landscape.
Rob is a former Federal Chief Information Officer (CIO) with over three decades of government experience. He shares insights into the challenges, priorities, and strategies shaping today’s cybersecurity landscape. Drawing from his leadership roles at the Department of Veterans Affairs (VA), FEMA, and the US Air Force, Rob discusses the importance of balancing mission-critical operations with robust cybersecurity, the value of public service, and the future of frameworks like Zero Trust.
Q: Can you tell us about your background and experience in government service?
I’ve been fortunate to have a long and rewarding career in government service. I’ve worked as a Federal CIO for major agencies like the Department of Veterans Affairs (VA), FEMA, and the US Air Force. I managed a $5 billion IT budget at the VA and oversaw day-to-day operations across a massive infrastructure. Now, I’m the founder of T2 Ridge Consulting and serve on the Federal Advisory Board for Armis, where I can continue contributing to the cybersecurity space.
Q: How do you view the role of cybersecurity in government agencies?
Cybersecurity is everything—it kept me up at night during my time in government. It’s a 24/7 priority, especially when you’re responsible for critical systems supporting healthcare, disaster response, and national defense. But cybersecurity can’t come at the expense of the mission. Whether providing care to veterans, responding to disasters, or supporting the Air Force’s operations, the systems must stay up and running no matter what. It’s a serious challenge to balance cyber risk and interruption of the mission. The mission must go on and protecting data is job one.
Q: What were some of your biggest challenges as a CIO?
One of the biggest challenges was balancing the need for proactive cybersecurity measures with keeping the lights on. You’re constantly under attack from sophisticated adversaries who have access to state-sponsored funding, AI, and advanced tools. On top of that, managing vast IT infrastructures with limited resources and workforce shortages made the job even more demanding.
Q: How critical is hiring the right people for cybersecurity roles?
Hiring the right people, especially CISOs, is one of the most essential things a CIO can do. The CISO is the linchpin of any cybersecurity operation. I had to remove the CISO and hire a new CISO in my first 90 days serving as CIO and that is not for the faint of heart. Beyond hiring, it’s about organizing, training, and equipping your team with the tools and resources they need to succeed. I’ve always believed in building a resilient and capable team—it’s the foundation of any successful cybersecurity strategy. The real challenge for Federal CIOs is competing for the same talent that everyone in Industry also covets. The fortune 500 can and does offer a much higher compensation package for this talent.
Q: Why do you think people choose to serve in public sector cybersecurity roles?
Public service is a higher calling—serving something bigger than yourself. Serving in a role that is mission critical serving our citizens is a lure for many. I’ve always been driven by the chance to make a meaningful impact, whether protecting veterans’ data, ensuring disaster response, or safeguarding our national defense. Sure, the private sector might offer higher salaries, but the fulfillment you get from serving your country is unmatched. It is a noble job in public service that drives some to public service.
Q: Compliance often gets a bad reputation in cybersecurity. What’s your take on it?
I’ll admit compliance gets a bad rap, but it shouldn’t. It’s not about checking boxes—it’s about using compliance frameworks to guide real improvements in your cybersecurity posture. When I was in government, I dealt with FISMA audits, GAO and OIG reviews, and while they could be painful, they helped us prioritize what needed to be done. Compliance should inform your strategy, not overshadow your mission.
Q: What’s your perspective on Zero Trust in government cybersecurity?
Zero Trust is the next evolution in cybersecurity. It’s not just a buzzword—it’s a necessity. Every agency needs a Zero Trust plan. But it’s not about chasing shiny objects; it’s about addressing your vulnerabilities, focusing on your most critical services, and staying ahead of adversaries. For me, inventory and vulnerability management are key pillars. Tools like those from Armis can play a huge role in automating network audits and supporting Zero Trust implementation.
Q: How do political transitions affect government cybersecurity efforts?
Political transitions are part of the job in government. I led the transition from the Obama administration to the Trump administration at the VA. As a career executive, I provided continuity and ensured the mission stayed on course, regardless of the administration. That’s why career civil servants are so important—they provide the stability needed to navigate changes in leadership, ensuring the career workforce pivots to the incoming leadership, while keeping the focus on zero interruption or delaying the mission and the long-term goals.
Q: Workforce shortages in cybersecurity are a big issue. How do we address them?
We must focus on organizing, training, and equipping our people. At the VA, we introduced a special salary rate that allowed us to pay cybersecurity professionals up to 20% more than the federal standard, which helped attract and retain talent. Beyond salaries, career progression and certifications are critical. People need to see a clear path for growth and feel supported in their development. The very best and the most talented are needed in Government and salary is one of those levers CIOs can use to retain them.
Q: What role do public-private partnerships play in strengthening cybersecurity?
Collaboration between government and private industry is essential. When I was in government, we worked closely with companies like Armis to leverage their expertise and tools. These partnerships are vital for staying ahead of threats and improving resilience. No single entity can tackle cybersecurity alone—it’s an all of team effort.
Q: How do you stay motivated in the face of constant challenges?
It’s the mission that drives you. I’ve always believed in the importance of what we do, whether it’s for veterans, disaster survivors, or airmen. It’s not easy—you work long hours, face endless challenges, and deal with sophisticated adversaries. But knowing that your work makes a difference keeps you going. It’s about serving something greater than yourself.
Q: You were recently inducted into the Air Force Cyber Hall of Fame. What was that like?
It was the greatest professional honor of my life. I was nominated by a four-star general and inducted in my first year of eligibility. It’s surreal to look back on my career and see it recognized in such a meaningful way. It’s a testament to the incredible teams I had the privilege of working with and the missions we accomplished together.
Cybersecurity in government is a dynamic and critical field that requires a delicate balance between proactive defense and mission continuity. Rob’s experience underscores the importance of strong leadership, collaboration, and workforce development in building resilient systems. Whether through implementing Zero Trust, leveraging public-private partnerships, or staying motivated by the mission, his insights offer valuable guidance for addressing the evolving challenges of cybersecurity today.
Share this Article
Get Updates
Sign up to receive the latest from Armis.