In public-sector cybersecurity, the stakes are rarely abstract. For Nicolle Rosecrans, Chief Information Security Officer at Arapahoe County, the work begins with a simple but demanding mandate: protecting the systems, data, and services that nearly 620,000 residents rely on every day. With a background shaped by law enforcement and emergency management, her approach to cybersecurity is grounded in real-world disruption, where incidents are not theoretical events, but moments that can impact people, services, and public trust in real time. That perspective carries through her leadership style, where security is defined less by tools and more by communication, preparedness, and resilience under pressure.
In this edition of CISO Diaries, Rosecrans shares how her role shifts constantly between strategy and operations, and why relationship management has become one of the most critical and mentally demanding parts of modern security leadership. She reflects on the importance of building security programs that enable government departments rather than slow them down, the growing shift toward identity- and AI-driven risk, and why the future of cybersecurity will be defined less by protecting static environments and more by governing fast-changing digital ecosystems. Her perspective highlights a central truth of public-sector security today: success depends as much on trust and alignment as it does on technical defense.
How do you usually explain what you do to someone outside of cybersecurity?
I explain that my job is to help protect the County’s systems, data, and people from cyber threats. A lot of what I do is risk management: understanding what could go wrong, putting protections in place with people, processes, and technology, preparing for incidents, and helping our leadership make informed decisions. I also tell people that cybersecurity is not just a technical field; it’s people. It’s about communication, trust, emergency response, policy, people, and resilience. My background in law enforcement and emergency management shaped the way I approach cybersecurity because, at the end of the day, we are preparing for, responding to, and recovering from incidents that can impact real people and critical services.Â
What does a “routine” workday look like for you, if such a thing exists?
No day is the same, and there is not a perfectly routine workday in cybersecurity. Most days involve a mix of reviewing risks, working with our infrastructure teams and cybersecurity team, responding to service tickets and questions from departments, evaluating vendors or contracts, reviewing security issues, and helping move projects forward. A lot of our work involves building and maturing the County’s security program through tools such as browser security, antivirus solutions, EDR, vulnerability management, incident response planning, and policy development, as well as helping our disciplines understand why security controls matter. Some days are strategic and focused, while others are very operational and reactive. The job requires being able to move between both.Â
What part of your role takes the most mental energy right now?
Without a doubt, relationship management. We have to protect the County, but we also have to understand the business need and the operational impact of every decision. In the public sector, we do not have unlimited people, tools, or funding, so every decision has to be intentional. All of my mental energy is spent thinking through how to mature the program in a practical way without overwhelming departments or creating unnecessary friction.Â
What’s one security habit or routine you personally never skip? (Work or personal.)
I never skip my 4 AM workout. It has become my foundation in a world where so much is outside of my control. Life will always throw unexpected speed bumps in my way, but starting my day with one intentional, disciplined choice gives me a sense of control, clarity, and resilience. That routine has become more than exercise; it is a lifeline that helps me show up better personally and professionally.Â
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I try to practice the same security habits I emphasize when educating County employees. At a high level, that includes using multi-factor authentication, strong, unique passwords, and a password manager. I also use tools that help reduce my digital footprint online, call-blocking/call-guard features, and I make it a priority to keep my personal devices and applications updated and patched. I am also cautious with unexpected emails, texts, and links. My general rule is that if something seems unusual, urgent, or unexpected, I do not engage with it directly. If it is truly important, the sender can contact me through another trusted method.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
Books to read include The Secret to Cybersecurity by Scott E. Augenbaum (by far my favorite book), The Unthinkable by Amanda Ripley, How to Measure Anything in Cybersecurity Risk, by Douglas Hubbard and Richard Seiersen. My favorite podcasts are Hacking Humans, Voices of the Vigilant, Darknet Diaries, and Cyberwire Daily. One resource that has influenced how I think about leadership is emotional intelligence training. I believe technical skills matter, but leadership in cybersecurity requires communication, particularly storytelling skills, self-awareness, empathy, and the ability to stay calm under pressure.Â
What’s a lesson you learned the hard way in your career?
It’s okay to not be right. In security, you can understand the risk and still fail to move people if you do not communicate in a way they can understand and act on. I have learned that relationships matter more than your technical skills. Trust matters. Timing matters. You have to meet people where they are, especially when you are asking them to change behavior that may feel inconvenient.Â
What keeps you up at night right now, from a security perspective?
I actually sleep really well, which may sound surprising in this field. But the things I think about most are, of course, ransomware, identity-based attacks, third-party risk, and the possibility of a cyber incident disrupting public services. Being vulnerable for a moment, I also think about the responsibility of leading in a field where there is always more to learn. There are seasoned CISOs and technical experts with deeper experience in certain areas, and I am very aware of that. But I also see that as one of my strengths. I stay curious, ask questions, move quickly, and am not afraid to learn from failure. Cybersecurity changes too fast for anyone to know everything, so I try to lead with humility, adaptability, and the confidence to keep moving forward. Â
How do you measure whether your security program is actually working?
I think technical metrics, risk reduction, and organizational maturity are important. But I tend to look for less obvious signs. Are departments engaging security earlier? Are executives asking better questions? Are we improving response times? Are we making security part of normal business operations instead of something separate? To me, those are signs the program is maturing.Â
What advice would you give to someone stepping into their first CISO role today?
Always listen first. Learn the organization, the people, the politics, the business needs, and the existing pain points before trying to change everything. Understand the culture before understanding the technical environment. Build relationships early with your businesses, executive leadership, and department leaders.Â
What do you think will matter less in security five to ten years from now?
I think manual, repetitive security work will matter less as automation and AI become integrated into security operations. That doesn’t mean people will matter less – because people are always the most important asset – but it means our work will shift.Â
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
I wholeheartedly think our time as security professionals will be spent on governing artificial intelligence, automation, data use, and identity. This includes understanding where data is going, how AI models are being used, which decisions are being automated, and how we are protecting sensitive information in rapidly changing environments. I personally think security teams will spend more time managing who or what has access. Not just employees, but service accounts, bots, AI agents, vendors, etc. The future of security will be spent less on protecting a fixed environment and more on governing a constantly changing ecosystem of people, processes, and technology. If we are not already utilizing Artificial Intelligence in defensive and offensive ways, we are behind.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.