State and local governments across the US are facing a perfect storm of escalating cyber threats and shrinking budgets. While the private sector races to deploy agentic AI security tools, many public sector organizations are still in the early stages of even thinking about AI, let alone defending against AI-powered attacks.
At RSAC 2026, Expert Insights sat down with Dan Lohrmann, Field CISO for Public Sector at Presidio, a digital solutions provider with a security practice generating north of a billion dollars in cybersecurity sales.
In this Q&A Lohrmann discusses how the CISO role has evolved since the early days after 9/11, why most state and local governments are on the wrong end of the AI adoption curve, how federal grant cuts are creating a fiscal cliff for public sector security, and why identity and fraud have become the defining challenges of this era.
Q. Can you tell us a bit about your background to kick things off?
Sure. I started my career at the National Security Agency and got my master’s at Johns Hopkins. From there I went to work at RAF Menwith Hill in England with Lockheed. The company was originally Loral; they got bought by Lockheed, and then they lost the contract to ManTech International. I was a technical director over there, doing networking. I can’t talk about my job; everything is classified. But I was working with US and UK military intelligence and GCHQ.
Then I came back and spent 17 years in Michigan state government. I started out as an assistant CIO over management and budget, then I was the state’s chief technology officer for e-Michigan building Michigan.gov, which was the first portal for the whole state government enterprise. Then after 9/11, we created the CISO role enterprise-wide. I was the first CISO in Michigan. Then I became CTO of Michigan, and went back to security over physical and cybersecurity. We actually created a CSO role (combining physical and cybersecurity) before CISA did. DHS came out and was looking at what we did in Michigan and kind of built their model using many of our approaches.
I went to the private sector in 2014 and I’m now with Presidio as the Field CISO. I mainly focus on public sector. That’s the unique expertise that I bring, and build trusted relationships with government leaders across the country. I work with all our vendor partners, all the big ones: CrowdStrike, Zscaler, IBM, Microsoft, Google, AWS. My focus is thought leadership and helping state and local governments and universities build effective strategies and cyber plans. I do a lot of keynote speaking around the country, working with CISOs in the public sector.
Q. Tell us a bit about Presidio and what you are doing to help CISOs in the public sector.
Presidio is a digital solutions provider, privately held, working globally. We’re actually acquiring several companies around the world right now. We have a large security practice, spanning advisory, implementation, and 24/7 managed operations.We partner with all the biggest companies and provide managed services and solutions.
My focus in the public sector is really providing insights and value to CISOs and working with our partners, helping them build strategies, think about priorities, think about things like digital transformation. I work across state, local government, and education. So big cities, counties, universities. It’s really about building trusted relationships with CISOs across the country and providing thought leadership in that space.
Q. As someone who has been there and done it since the early days of the CISO role, how has the role evolved over time? What is keeping CISOs up at night at the moment?
People say that’s the same question we were asking 20 years ago, and there’s a lot of similarities. I hate to use a lot of analogies, but it’s a little bit like March Madness. You have these teams that were great and they’re not so good anymore, and other teams that were not so good that are great now. But it’s still basketball. The game has changed, but at its core, it’s still basketball.
When I was CISO in Michigan, we had a statewide strategy. We were one of the first states to move to a very centralized approach. Most states now have kind of gone to a more centralized approach, but a some states are still decentralized and some are hybrid. You have leaders, followers, and laggers. We were a leading state, and a lot of it comes down to leadership and the relationships and trust with the governor or the mayor.
I’ll tell you, this does not tend to be a political party issue. It doesn’t tend to be Republican or Democrat. I’ve never seen a politician who raised their hand and said, ‘I want to be hacked.’ Nobody wants to be hacked. When I was in Michigan, we had Governor Rick Snyder, who came from Gateway Computers. He’d made a lot of money in the private sector. He kind of led with cybersecurity, which was rare for a governor. His tagline was ‘one tough nerd.’ He got it, and he really wanted to invest in cybersecurity and be a leading state. Most governors aren’t like that. Most are talking about the economy, the budget, education.
So the CISO role really depends on where you sit. Some CISOs are very engaged today in AI, in the enterprise approach, in business transformations. Others tend to be much more focused on the back office: securing the networks, securing the phones, securing the laptops. They’re not as involved on the business side. It really is like a bell-shaped curve.
Q. In the public sector, as opposed to the private sector, when it comes to things like AI, the speed we are seeing in the private sector, is it slower in the public sector?
It is slower. The challenges we’re seeing on the show floor right now, and the conversations we just had at dinner last night with public sector CISOs, confirm that. Almost no CIO or CISO in the country will say they’re not talking about AI. But if you had a scale from one to ten, with ten being bleeding edge and zero being ‘we’re thinking about it, we’ve done a few training sessions,’ most states would be on the beginning part of that scale. They’re much slower on the curve.
The thing that’s different now is the stakes are higher. People understand a lot more. I was kind of fighting uphill in the early days to get attention. Although, remember, we had just had 9/11, so there was attention around physical security. And government was going online; websites were popping up, closing buildings, saying we need to be able to renew your driver’s license online, pay your taxes, reserve a campground. So there was general knowledge about securing that, but it wasn’t as dramatic as shutting down critical infrastructure. Now, with wars and what’s going on, the stakes are so much higher.
Q. It does seem that the threat level against states is growing. We have seen a lot in the news, with Nevada last year for example. It does seem like states are becoming bigger targets for APTs.
I think absolutely, that’s a huge challenge. Kevin Mandia from Mandiant said a couple of weeks ago on a CNBC interview that within two years, all attack and defense will be autonomous. I think that’s a little bit aggressive. Whether it’s two years, three years, or four years, I’m not sure. But that’s the way we’re going. And most state and local governments are not ready for that.
That is just a whole different world of autonomous agents running the SOCs. Walking the floor today, I’ve been talking to different companies. Talking to Akamai about billions of bot attacks per day. You’ve got agentic AI attacking you, and you’ve got to have real-time ability to see that. A lot of states have CrowdStrike or Zscaler or other cyber tools, but they just don’t have the visibility into those numbers of attacks and what’s coming at them. They’re maybe using some AI to help prioritize their actions, but most state and local governments are certainly not in autonomous response. That is not happening.
Q. Is there a risk that as the private sector potentially becomes more secure, the public sector is left exposed to the AI threat without being able to take advantage of it?
The budgets are a huge issue. There’s a lot of fear right now. A lot of the talk at the Billington Conference was around cuts to grants, less federal support. There were a lot of federal grants in the US in fiscal year 2024, fiscal year 2025, and you’ve got three years to spend that money. So even FY25 money, people are still spending their 2024 and 2025 money. The big issue is what happens when that stops in 2026.
There’s still talk that maybe there’ll be more money. There’s still hope. We’ve talked to legislators, to Congress, to people at the White House. But meanwhile, all the focus right now is on other things, and it’s not guaranteed we’re going to get new grant money. Many, many states are struggling. You have leading states that have the budget, and you have others facing big cuts right now. A lot of states are doing layoffs, not because AI is taking jobs, but just due to underlying budget issues and not filling positions.
One of the big differences with government and the private sector is how budgets work, how things are procured, the processes people have to go through with RFPs and competition. Some states literally have travel freezes. CISOs who were supposed to come to RSA or attend the Billington Conference couldn’t leave the state. That’s not widespread, but it is out there.
Q. Without getting too political, would you want to see more federal action to help states and local governments invest in this area?
Absolutely. There’s a lot of good guidance, but a lot of local governments don’t have the capabilities. We have a ‘whole of state’ approach that’s become pretty popular. So, if a county or city gets hit with ransomware, the state can come in and help. Or the state take the money and say, ‘How can we best spend half a million dollars?’ Maybe it’s not by giving all the jurisdictions $5,000 each. Maybe we buy a statewide license for a product and distribute the licenses. So everybody gets a CrowdStrike or a Zscaler or other capability.
Q. One of the other things I wanted to talk about is identity and access management. With the AI threat, there has been a lot on the show floor around it. What are your thoughts?
Identity is front and center. It was a huge topic yesterday at the RSA public sector day. The identity challenge is coming from so many different directions: passwordless, citizen identity, internal enterprise identity for government employees. It’s even a political issue in the US with all the talk about elections and whether you should show ID to vote. Sadly, it all gets thrown in the same basket in many cases.
Identity is core to zero trust. Most states have an identity strategy, but again, you’ve got a full bell-shaped curve around where states are in the process. Some are much further along than others.
Q. One of the big discussions on the show floor has been around agentic AI identity. How do you see that challenge?
Whether it’s five-to-one or ten-to-one, agentic agents for every human identity, you’ve got to treat an agentic identity the same as a human identity. I’ve heard that probably five or six times from different vendors on the show floor in the last four hours. And it’s like, we’re not there. Philosophically, people understand that. But I don’t think a lot of states are going to be there even by next year.
The ability to use different types of threat detection to know whether that’s a human identity or an agentic identity, and then the governance around that, what they can do, what they can’t do, can you sandbox them, can you really control them. There are stories about agents that escalated their authority and went out and started trading crypto. The ability to even detect and control that, I think there are still huge challenges.
And the broader question of shadow AI is still a big issue. We were writing about it two years ago, but it’s widespread now. The CISOs and the central SOCs can’t even know what all their people in government are doing with Claude, ChatGPT, Gemini, and OpenAI. Everybody talks about the single pane of glass, but most states don’t have that visibility.
Q. Is there a business case that’s helping drive identity investment in the public sector?
Yes, and that’s the fraud issue. All the money that was lost with COVID, all the Medicare fraud, all the fraud in government programs, that is driving a lot of the identity projects. It’s an ROI issue. People always talk about return on security investment. But you can show that with fraud. If we just lost $100 billion in fraud, the math is pretty straightforward. So fraud becomes the business case for identity investment. That’s big in a lot of states right now, and a lot of projects are using fraud as their business case.
We went from ‘you need better passwords, longer passwords, complex passwords,’ to two-factor, to multi-factor, to passwordless. And now it’s also about saving money. If I can save you $100 billion nationwide – or even millions in individual states or local governments, there’s a lot more incentive to get identity right.
