Key Takeaways
- The New Mexico Department of Public Safety’s Cybersecurity & Compliance Bureau protects the digital systems that enable law‑enforcement and public‑safety operations across the state.
- As New Mexico’s Criminal Justice Information Services (CJIS) Systems Agency, the bureau helps roughly 1,000 partner agencies meet federal cybersecurity standards, from background checks to encryption and incident response.
- Elevated to a full bureau in fall 2022, the team has shifted from reactive incident handling to proactive policy‑building, risk management, and long‑term resilience.
- Modern cyber threats increasingly rely on sophisticated phishing, AI‑generated messages, identity‑based attacks, ransomware, and supply‑chain compromises, rendering old “look for typos” advice obsolete.
- During a cyber incident, the bureau acts as the “quarterback”—detecting threats, confirming scope, containing damage, leading investigations, and coordinating communication.
- Human judgment remains central; the bureau strives to make security enabling rather than obstructive, fostering a “get to yes, safely” mindset.
- Emerging challenges include AI‑powered impersonation, accelerated vulnerability discovery, and third‑party supply‑chain risks, requiring continual training, intelligence sharing, and adaptation.
- Daily work blends alert investigation, policy drafting, technology project review, and partner outreach—all performed largely out of public view but essential to keeping officers, dispatchers, and investigators operational.
Mission and Core Responsibilities
The Cybersecurity & Compliance Bureau operates under a clear, albeit demanding, mandate: safeguard the criminal‑justice information systems and broader IT infrastructure that keep the New Mexico Department of Public Safety functioning. Chief Information Security Officer Paul Herrera frames the mission as both simple to articulate and substantial to execute—ensuring that public‑safety work never stops because of a cyber disruption. In sports parlance, the bureau serves as the offensive line; when it performs well, its efforts go unnoticed, but any failure is felt throughout the organization. This protective umbrella extends to every police officer, dispatcher, analyst, and investigator who relies on secure, reliable, and available technology to carry out their duties.
Statewide Partnership and CJIS Role
Although housed within the Department of Public Safety, the bureau’s influence reaches far beyond its own walls. The department acts as New Mexico’s Criminal Justice Information Services (CJIS) Systems Agency, the official state liaison with the FBI’s CJIS program. In that capacity, the bureau assists approximately 1,000 criminal‑justice agencies—ranging from large metropolitan police departments to tiny rural sheriff’s offices—in meeting federal cybersecurity requirements. Those requirements span employee background checks, mandatory security training, encryption standards, access controls, incident‑response procedures, and regular audits. Herrera emphasizes that these agencies are considered partners; when they strengthen their defenses, the entire state becomes safer.
From Small Unit to Full Bureau
The cybersecurity function was formally reorganized into a bureau in the fall of 2022, marking a transition from a modest, ad‑hoc unit to a dedicated, structured operation. Initially, the team’s focus was on immediate tactical concerns: detecting attacks, investigating suspicious activity, and responding to incidents. With those foundations now solidified, the bureau’s strategy has broadened. Herrera notes a conscious shift toward spending less time reacting and more time building—crafting policies, standards, and risk‑management practices that ensure cybersecurity remains robust regardless of personnel changes. This proactive stance aims to create durability and resilience across the department’s digital ecosystem.
Evolving Cybercriminal Tactics
Today’s cyber adversaries rarely fit the Hollywood image of a lone hacker typing furiously in a dark room. Many intrusions begin with something deceptively ordinary: a message. Phishing and social engineering remain the most common entry points, with attackers coaxing victims into revealing passwords, clicking malicious links, or divulging sensitive data. What makes these schemes particularly dangerous is their increasing sophistication; attackers no longer rely on obvious typos or awkward language. Artificial intelligence can now generate polished, personalized emails in seconds, rendering traditional advice obsolete. Herrera advises users to verify the request itself, irrespective of how convincing the message appears. Beyond phishing, the bureau observes rises in identity‑based attacks, ransomware campaigns, and threats that originate through compromised software vendors or third‑party suppliers.
Incident Response: The Quarterback Role
When a cyber incident unfolds, the Cybersecurity & Compliance Bureau becomes the command center, analogous to a football quarterback directing the play. Herrera describes the team’s workflow as detecting suspicious activity, confirming whether a threat is genuine, determining its scope, coordinating containment, leading investigations, and managing communication with leadership and partner agencies. Like a quarterback reading the defense and ensuring each teammate knows their assignment, cybersecurity professionals must align everyone’s actions toward a unified response. The first priorities are always to confirm and contain: validate the alert, assess how far the threat has spread, isolate affected systems, preserve forensic evidence, and initiate required notifications. Success hinges on preparation—documented procedures, tabletop exercises, and solid communication plans transform potential chaos into a manageable event.
People‑Centric Security Philosophy
Despite the technical nature of cybersecurity, Herrera insists that people are the most critical factor. Technology can generate alerts and flag anomalies, but humans interpret those signals and decide on appropriate actions. Consequently, the bureau’s philosophy is to make security enabling rather than restrictive: “We find a way to get to yes, safely.” Overly burdensome controls often drive employees to create workarounds, which can inadvertently introduce new vulnerabilities. By supporting users and partner agencies with clear guidance, practical tools, and a collaborative mindset, the bureau aims to align security measures with operational needs, reducing the temptation to bypass safeguards.
Future Threats and Challenges
Looking ahead, Herrera identifies several emerging challenges that will shape the bureau’s priorities. AI‑powered impersonation—where criminals fabricate convincing voice recordings, videos, or messages that appear to come from trusted individuals—poses a significant deception risk. Additionally, artificial intelligence accelerates vulnerability discovery, allowing attackers to uncover exploitable flaws in hours rather than weeks. The growing reliance on shared software and service providers amplifies supply‑chain risk; a single compromise at a vendor can cascade to hundreds of organizations simultaneously. Despite these evolving threats, the bureau remains committed to staying ahead through continuous training, real‑time intelligence sharing, and constant adaptation of its defenses.
Day‑to‑Day Work and Unseen Impact
Herrera paints a picture of the bureau’s routine that is far from cinematic drama. A typical morning might begin with investigating a suspicious alert, shift to reviewing a new technology project, move on to drafting or refining policy documents, and conclude with assisting a law‑enforcement agency in understanding federal security requirements. Each task, though varied, serves the same overarching mission: ensuring that officers can respond, dispatchers can communicate, investigators can access critical information, and public‑safety operations continue without interruption. Much like the unseen support staff behind a championship team—or the superheroes who protect a city without seeking recognition—the Cybersecurity & Compliance Bureau labors largely out of public view. Yet its work is indispensable; in an era where cyber threats grow more sophisticated each day, the bureau’s vigilance keeps New Mexico’s digital infrastructure—and the safety it enables—running smoothly.

