Every superhero story has a team working behind the scenes.
They don’t wear capes. They don’t run onto the field under stadium lights. Most people will never know their names. But when a crisis hits, they are already in motion – tracking threats, coordinating responses, and protecting the systems that thousands of people depend on every day.
At the New Mexico Department of Public Safety, that team is the Information Technology Division’s Cybersecurity & Compliance Bureau.
And according to Chief Information Security Officer Paul Herrera, their mission is straightforward: protect the digital systems that keep the department running.
“Our mission is simple to say and big to do,” Herrera said. “Protect criminal justice information and the department’s systems so that public safety work never stops.”
In sports terms, the bureau functions as the offensive line if you will. If they do their job well, nobody notices. If they fail, everyone feels it.
Behind every police officer, dispatcher, analyst, and investigator is a network of technology that helps them do their jobs. The Cybersecurity & Compliance Bureau works to ensure those systems remain secure, reliable, and available, even when cybercriminals are trying to break in.

Protecting more than one team
Most people assume the bureau’s responsibilities stop with the New Mexico Department of Public Safety. In reality, the team’s reach extends across New Mexico.
The department serves as New Mexico’s Criminal Justice Information Services (CJIS) Systems Agency, the state’s official liaison with the FBI’s CJIS program. That means they helps approximately 1,000 criminal justice agencies throughout New Mexico meet federal cybersecurity requirements.
Those agencies range from large metropolitan police departments to small rural sheriff’s offices.
“We consider those agencies our partners,” Herrera said. “When they succeed, the whole state is safer.”
The requirements cover everything from employee background checks and cybersecurity training to encryption, access controls, incident response procedures, and audits.
It’s a massive responsibility, and one that has grown significantly in recent years.
From small unit to full bureau
The cybersecurity program officially became a bureau in the fall of 2022.
Since then, the team has evolved from a small function into a dedicated operation focused on both defense and long-term strategy.
Herrera says the bureau initially concentrated on the most immediate risks: detecting attacks, investigating suspicious activity, and responding to incidents.
Now that foundation is established, the focus is expanding.
“We’re trying to spend less time reacting and more time building,” he said.
That means creating policies, standards, and risk-management practices that ensure cybersecurity remains strong and durable regardless of who occupies a particular position.

The new playbook of cybercrime
Today’s cybercriminals rarely resemble the movie stereotype of a lone hacker furiously typing in a dark room.
Instead, many attacks begin with something surprisingly ordinary – a message.
Phishing and social engineering remain among the most common methods criminals use to gain access to systems. Attackers trick people into revealing passwords, clicking malicious links, or providing sensitive information.
And those attacks are becoming harder to spot.
“Attackers don’t always break in anymore,” Herrera explained. “Often they just log in with credentials they tricked someone out of.”
Artificial intelligence has accelerated that trend.
For years, cybersecurity professionals advised people to look for poor grammar, spelling mistakes, or awkward wording in suspicious emails. Today, AI can generate polished, personalized messages in seconds.
“The advice we gave people for years is mostly obsolete,” Herrera said. “Now we tell people to verify the request itself, no matter how polished the message looks.”
Cybersecurity teams are also seeing increases in identity-based attacks, ransomware campaigns, and threats that originate through software vendors and third-party suppliers.
The quarterback during a crisis
When a cyber incident occurs, the Cybersecurity & Compliance Bureau becomes the command center.
Herrera describes the team’s role using a familiar sports analogy.
“We’re the quarterback,” he said.
The bureau detects suspicious activity, confirms whether a threat is real, determines its scope, coordinates containment efforts, leads investigations, and manages communication with leadership and partner organizations.
Like a quarterback reading a defense and directing teammates, cybersecurity professionals must ensure every participant understands their role and executes the plan together.
The first priorities are always the same: confirm and contain.
Teams verify that an alert represents a genuine threat, determine how far it has spread, isolate affected systems, preserve evidence, and begin necessary notifications. Success depends heavily on preparation long before an incident occurs.
“The work you do before an incident decides how the incident goes,” Herrera said.
Documented procedures, practiced exercises, and strong communication plans can transform what might otherwise be chaos into a manageable response.

Why people matter most
Although cybersecurity often appears highly technical, Herrera says people remain the most important factor.
“Technology can detect unusual activity and generate alerts, however humans decide what those alerts mean and what actions should follow,” he said.
That philosophy shapes how the bureau approaches security. Rather than creating barriers, Herrera says the goal is to support employees and partner agencies.
“Our philosophy is that security doesn’t say no,” he explained. “We find a way to get to yes, safely.”
If security measures become too cumbersome, people will find workarounds, and those workarounds often create new vulnerabilities.
Watching the horizon
Looking ahead, Herrera sees several emerging challenges.
One is AI-powered impersonation, where criminals can generate convincing voice recordings, videos, and messages that appear to come from trusted individuals.
Another concern is speed.
Artificial intelligence can help attackers discover vulnerabilities faster than ever before. Tasks that once required significant expertise and weeks of effort can now potentially be accomplished in hours.
The third challenge involves supply-chain risk – the growing dependence on shared software and service providers. A single compromise at one vendor can affect hundreds of organizations simultaneously.
Yet despite the evolving threats, the bureau remains focused on staying ahead through training, intelligence sharing, and constant adaptation.
“The threats change every week,” Herrera said. “So what we know has to change with them.”

The work behind the shield
Ask Herrera what the job actually feels like, and he doesn’t describe dramatic movie scenes.
Instead, he describes a typical morning.
One hour may involve investigating a suspicious alert. The next might focus on reviewing a new technology project. Later, he could be writing policy documents or helping a law enforcement agency understand federal security requirements.
Different tasks. One mission.
Like the unseen support staff behind a championship team – or the superheroes who protect a city without seeking recognition – the Cybersecurity & Compliance Bureau operates largely out of public view.
But while most New Mexicans may never meet the people protecting the state’s digital infrastructure, their work helps ensure officers can respond, dispatchers can communicate, investigators can access information, and public safety operations continue uninterrupted.
In a world where cyber threats are growing more sophisticated every day, that’s a mission that never takes a day off.
Story by New Mexico Department of Public Safety Public Information Officer John Heil.
