Government cybersecurity does not get the same headlines as a Fortune 500 breach, but the stakes are just as real. The systems being protected hold resident data, election infrastructure, court records, financial operations, and the administrative backbone of cities and counties that millions of people depend on every day. The leaders in this feature have built and sustained security programs inside those environments, across municipal government, county administration, state agencies, and the offices responsible for Colorado’s elections and statewide IT governance.
Tim McCain — Chief Information Security Officer, City of Aurora
Tim McCain has led cybersecurity for the City of Aurora since 2016, overseeing security, privacy, data governance, and risk management across a top-50 US city with 22 business units, 3,500 employees, and a physical footprint that includes more than 8,000 acres of open space, 100-plus parks, and 16 recreation facilities. Before Aurora, he was recruited to Grant Thornton as a manager and promoted to director within two months, where he formalized the information security program and led the firm’s ISO 27001:2013 and 27002:2013 certifications. His regulatory depth spans FISMA, PCI, HIPAA, HITECH, SOX, GLBA, FERPA, CJIS, and federal reserve guidelines, a breadth that reflects the complexity of protecting a city government where multiple regulatory frameworks apply simultaneously. He also taught cybersecurity as an adjunct instructor at the Community College of Aurora.
Joe Milliken — Chief Information Security Officer, City of Westminster
Joe Milliken has spent nearly fifteen years at the City of Westminster, progressing from management intern and systems analyst through IT security administrator before stepping into the CISO role in 2020. He holds a master’s degree in computer science from Colorado State University, a CISSP, and a CISM, and chairs the NCR/UASI regional cybersecurity group that develops multi-jurisdictional security strategies for the Denver metropolitan region. That regional coordination role is worth noting. Municipal CISOs who engage actively at the regional level produce outcomes that extend well beyond their own city’s security posture. He has also written Homeland Security grants whose approved submissions have funded multimillion-dollar security projects, reflecting a practical understanding of how public sector security investment actually gets resourced.
Ashley Bolton — Chief Information Security Officer, Jefferson County
Ashley Bolton’s path to the CISO seat at Jefferson County runs through a career built on enterprise technology leadership rather than a traditional security track. She served as CIO and administrative services director at the City of Littleton, overseeing IT, HR, finance, and procurement, and then as chief data and information security officer for the City and County of Denver, where she led data governance and information security together. That governance-first perspective informs how she now approaches the CISO role. Where many security leaders come up through technical operations, Bolton brings a background in ERP implementations, cloud strategy, managed services, and cross-functional executive leadership that gives her an unusually broad view of how security connects to every other part of how a government organization operates. At Jefferson County, that combination of technology strategy and security accountability is the role.
Gregory Williams — Chief Information Security Officer, Colorado Secretary of State’s Office
Gregory Williams holds a PhD in information technology and teaches as an affiliate professor at Metropolitan State University of Denver alongside his CISO responsibilities, a combination that reflects both the academic depth and the practical orientation of his career. Before joining the Secretary of State’s Office in February 2025, he spent more than five years as enterprise director of security, risk, and compliance at Colorado’s Governor’s Office of Information Technology, where he created the state’s enterprise risk management framework, eliminated more than 5,000 audit findings, streamlined the authority-to-operate process by 60 percent, and served as acting CISO for five years during leadership transitions. He also held a director of network security operations role at Charter Communications, overseeing cybersecurity for customer-facing infrastructure serving millions of residential and commercial subscribers. That combination of statewide government security leadership and large-scale commercial network security experience is unusual in a Secretary of State CISO profile.
Dustin Dezell — Chief Information Security Officer, City of Colorado Springs
When Dustin Dezell stood up the City of Colorado Springs cybersecurity program in 2016, he started with a team of one. He built it into a program with eight analysts, securing one million dollars in funding for EDR, SIEM, DFIR, ZTNA, SSO and MFA, user awareness, and GRC capabilities along the way. He also founded the city’s IT Risk Governance Committee, chaired by the CFO and multiple department directors, which gave senior leadership direct visibility into IT and business risk for the first time. Before moving into the CISO role, he spent three years as IT service manager at Colorado Springs and prior to that provided ITIL consulting and deputy program management support to military and defense organizations through Telos Corporation. That service management foundation shapes how he thinks about security as an operational function, not just a risk function.
Craig Hurter — Senior Director of Information Security, Colorado Governor’s Office of Information Technology
Craig Hurter has spent the past five-plus years at Colorado’s Governor’s Office of Information Technology, holding roles that have included director of security operations, interim director of identity and access management, CISO’s strategic partner and operational proxy, and now senior director of information security with executive accountability for statewide security strategy spanning policy, risk, security operations, IAM, and security awareness across dozens of agencies. Before OIT, he served as CISO of the Colorado Judicial Branch, where he secured a 12 percent increase in security funding, maintained 100 percent team retention through COVID, and strengthened executive understanding of cybersecurity as a governance issue. At OIT, he introduced SOAR capabilities that reclaimed approximately 30 percent of analyst time, expanded MFA adoption to roughly 95 percent of users statewide, and improved mean time to respond by approximately 30 percent. His GIAC GISP certification is the equivalent of a CISSP.
The Work Behind Colorado’s Government Security Posture
What this group reflects collectively is how much public sector security depends on leaders who are willing to stay. Several of these leaders have spent years, in some cases more than a decade, inside the same agency or jurisdiction, building programs that outlast any single initiative or budget cycle. That kind of continuity is not glamorous. It is, however, what actually moves the needle on government cybersecurity over time, and Colorado’s public sector is better for it.
More cybersecurity leaders securing the government: