The Indiana Secretary of State secured sensitive citizen data and modernized complex systems with a very small team. By adopting Wiz, the agency achieved 91 percent alignment with NIST SP 800-53r5, helping to accelerate compliance with Governor Braun’s Executive Order 25-19 while simultaneously eliminating critical vulnerabilities, and creating a transparent, proactive approach to cloud security to support rapid modernization across AWS and Google Cloud.
Challenge
A small IT team had to secure sensitive citizen data across AWS and Google Cloud during a major modernization effort, without dedicated security staff.
Manual security processes and fragmented tools slowed modernization and made it difficult to identify and prioritize issues.
Maintaining compliance during a lift and shift of legacy systems and large modernization program required real-time oversight and clear ownership.
Solution
Indiana Secretary of State gained a single view of its AWS and Google Cloud environments, which helped the small IT team streamline work and reduce manual effort.
With unified visibility in place, the team was able to spot issues quickly, resolve them faster, and stay focused on the highest impact areas.
Clear compliance mapping and guided workflows helped the Indiana Secretary of State comply with Gov. Braun Executive Order 25-19 (2024), while maintaining zero critical vulnerabilities during its modernization effort.
91 percent alignment with NIST SP 800-53r5
across entire cloud estate
10 times more work delivered
with less than half the previous staff
Eliminated all critical
and high vulnerabilities
Modernizing government systems with a small but mighty team
The Indiana Secretary of State’s office protects sensitive information for millions of residents. During a large-scale cloud modernization, the team faced a challenge common across the public sector: deliver modern, cloud-native services with fewer people, tighter timelines, and greater expectations.
With just six developers and five IT staff, the team needed a security approach that provided clarity, not complexity. “I don’t want to be in the newspaper. That’s our goal,” says Chris Duncan, IT Director. For the agency, modernization and trust go hand in hand.
Being able to say we’re at 91 percent compliance for NIST 800 [NIST SP 800-53r5] is huge. There’s not a lot of organizations out there that could say that
Chris Duncan, IT Director, Indiana Secretary of State
Moving legacy infrastructure to modern cloud environments
The team began an ambitious initiative to migrate out of the state data center and move monolithic .NET applications into modern infrastructure. “We’ve lifted, we’ve shifted, we’ve stabilized, and now we’re going through a modernization, complete cloud-native refactoring of those systems, top to bottom,” says CIO Robert Fulk.
This transformation includes projects like Migrate to Modernize in AWS and Captain Record AI on Google Cloud. With more than 2,000 SQL stored procedures and multiple systems moving in parallel, the scale of change required continuous security oversight.
At the same time, the team was smaller than ever. “I don’t have the time and bandwidth, and that’s what Wiz solves. I don’t have dedicated CISOs or FTEs to monitor and figure out our security architecture, network architecture, monitoring, defense, SOC,” Fulk explains.
The limits of manual processes
Manual reviews, scattered tooling, and point-in-time assessments created slowdowns that put modernization timelines at risk. The team needed real-time visibility, consistent compliance checks, and clear guidance that anyone on the team could act on.
“We want a single pane of glass, something that monitors everything, that not only tells you what’s wrong, but how to fix it, and ties it into compliance,” says Fulk.
This need for simplicity and continuous oversight led the agency to Wiz.
Immediate Impact: Hours to Value
The team evaluated different approaches but needed something that could deliver value immediately. Wiz’s agentless architecture made deployment fast and seamless.
Wiz was deployed and up and running within a couple of hours.
Robert Fulk, CIO, Indiana Secretary of State
The platform quickly became a natural part of daily operations. “I come into the office every morning and turn it on. It’s very powerful and very informative in a simple way,” Duncan says. Wiz provided the visibility and prioritization the team lacked, without adding operational overhead.
Achieving high compliance and eliminating critical risk
Wiz helped Indiana Secretary of State reach 91 percent alignment with NIST SP 800-53r5, which is required as a part of the Risk and Authorization Management Program (RAMP) policy outlined in Governor Braun’s Executive Order 25-19. More importantly, the team maintains near-zero critical risk. “What you consider critical and high for us has been pretty much at zero,” Duncan explains.
Wiz automates risk assessment by evaluating impact and likelihood, then prioritizes detected toxic combinations of indicators of risk from low to critical. This gives teams a clear, actionable view of issues so they can focus their time on the fixes that matter most.
When issues do appear, they are resolved quickly. “We have not had any criticals or highs that lasted more than 48 hours.”
Despite limited staffing, the team now operates with confidence and clarity. “Wiz is cost-efficient and effective,” Fulk says.
Transforming culture through visibility and accountability
Wiz helps give every team the clarity they need to own security. This shifts the culture from seeing security as a burden to viewing it as a way to move their mission forward and keep work running smoothly.
For the Indiana Secretary of State, Wiz provided clear, shared visibility, helping their developers take action before issues escalate.
“Our strategy is to overwhelm. Everybody has eyes on Wiz, everybody can see and be alerted and know what is going on in their environment,” Duncan explains.
This transparency creates meaningful accountability and faster fixes. “Wiz has been instrumental in pointing out to our developers exactly where a fix needs to be made, and why it's necessary,” Duncan says.
If something is misconfigured, Wiz highlights the issue immediately. Developers adjust their Terraform, update their workflows, and move forward more securely.
Wiz has been great because it notifies us immediately. We shut issues down right away and can explain exactly why.
Robert Fulk, CIO, Indiana Secretary of State
Enabling secure modernization at scale
Indiana continues to modernize rapidly. Four enterprise systems, six cloud projects, and multiple AI initiatives all move forward in parallel, supported by Wiz’s real-time visibility.
“Probably one of the best vulnerability scanners that I’ve seen in a long time. Great oversights,” Duncan reflects.
Wiz makes it easy to move quickly without sacrificing safety. “We don’t have to sift through megabytes of server logs. Instead, we get clarity. Here’s what’s wrong, here’s what it doesn’t comply with, and here’s how to fix it,” Fulk explains.
Looking ahead
The agency is positioned to keep modernizing with confidence. Wiz gives the team the visibility and guidance to stay ahead of risk, maintain compliance, and support ambitious digital services for citizens.
Many public sector organizations often face a choice between modernization and security. Indiana Secretary of State has shown that with the right platform, both are possible.
