How state and local CIOs can push their cyber resilience plans forward in 2024

From Dallas, Texas to Lowell, Mass., it’s been evident that in 2023, state and local governments have been prime targets for ransomware attacks and other bad actors. Now, as we look to the year ahead, the reality is this: cyber threats are worsening, the attack landscape is growing more complex and severe by the day, and adversaries are increasingly recognizing the vulnerability and susceptibility of state and local governments.

As we head into the new year and state and local organizations remain top targets for malicious actors, here are some of the ways that state and local chief information officers (CIOs) can make the most of strained resources and limited funding to drive resilience efforts forward.

Shifting the focus
When it comes to bolstering resilience, it’s been a long-held misconception that prevention is the metric for “perfection” in cyber. But in our hybrid, hyperconnected world, “prevention” is no longer an accurate reflection of resilience (and in the world of cybersecurity, there’s no such thing as perfection). The field that we’re playing on is constantly widening, expanding and evolving, and the rules change as new threats emerge.

As the threat landscape has grown more severe and unrelenting over the years, it’s time we start recognizing and redefining resilience: it’s no longer a matter of preventing breaches and other attacks from occurring—it’s about ensuring critical information remains safeguarded and operations continuous in the face of inevitable attacks and breaches.

The best way to achieve this kind of operational consistency and resilience, particularly as threats evolve, is by adopting the Zero Trust framework. A widely recognized industry best practice predicated on the principles of “assume breach” and “least privilege,” Zero Trust advocates for a default deny approach to cybersecurity. In fact, it’s become the de facto standard for agencies and other federal organizations as they look to make good on the objectives outlined in the Biden Administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity, and well as other evolving cybersecurity mandates and regulations.

However, oftentimes where agencies and public sector CIOs fall short in their Zero Trust journeys is by focusing too much on perfection over progress. Often, IT leaders will aim to perfect each goal or step as outlined by a piece of guidance or a given model—for example, with CISA’s Zero Trust Maturity Model, released in 2022, organizations often seek to master a single phase or pillar (i.e., “identity”) before moving onto the next. But in doing this, they’re leaving critical security gaps unplugged in their devices, networks, applications and data that are readily available for bad actors to exploit.

Instead of focusing on perfecting one goal or pillar at a time, IT leaders must instead focus on holistic progress in 2024. It starts with first understanding and identifying where your most critical assets lie, prioritizing and remediating any gaps you have in your current security architecture—i.e., patching and immediately addressing known vulnerabilities, and segmenting critical assets away from vulnerable communications or infrastructure—and then implementing and enforcing granular security policy across environments.

Cyber resilience is a never-ending journey
Additionally, progress and the ability to adapt to evolving threats works best when organizations have a strong underlying foundation. Cyber hygiene is instrumental in reducing an organization’s risk exposure and is vital in defending against attacks before they occur.

Practicing basic cyber hygiene includes doing things like regularly backing up your data and updating devices, ensuring you’re continuously monitoring and scanning across hybrid environments, and regularly running tabletop exercises and testing out your incident response plans before a breach occurs.

Achieving cyber resilience (like marching towards Zero Trust) is a never-ending journey: there’s no one solution or one tool that’s going to get you there. That’s why it’s crucial to practice cyber hygiene every day, from the top down. Put two-factor authentication into practice across your organization, talk to your teams about phishing attacks, and make sure your agency leaders are following proper cybersecurity protocol (there are no shortcuts for cyber, especially at the top).

In the end, regularly practicing cyber hygiene enables team members to shrink your organization’s attack surface and more readily adapt to evolving threats—all the while setting your organization up to realize more ROI on your security investments.

It takes a village to push cyber resilience plans forward
In the end, cyber resilience doesn’t just fall to the CISO or the CIO—it’s the responsibility of the entire organization, and all of leadership. Defending against evolving cyber threats is an all-encompassing problem, and it requires all-encompassing ownership and support from everyone in the organization.

By recognizing that cybersecurity is a team sport and understanding that true cyber resilience is a never-ending journey, organizations will be better enabled to progress and push forward their cyber resilience strategies in 2024—putting them in a better position to contain and combat attacks that inevitably come their way.

Gary Barlet is the federal chief technology officer at Illumio, where he works with government agencies, contractors and the broader ecosystem to incorporate Zero Trust Segmentation, or microsegmentation, as a strategic enabler of Zero Trust architecture. He can be reached at [email protected].