Beyond the barriers: Maximizing ROI in cybersecurity in local government organizations

The 2023 Local Government Cybersecurity National Survey found that more than 60 percent of IT officials at state and local organizations believe their budgets are inadequate to support their cyber programs. And only about half of their employees continually participate in cybersecurity training throughout the year, revealing a lack of engagement in IT security programs across their organizations—including from elected officials.

Among these concerns, IT officials stated that an increase in sophisticated threats and lack of cybersecurity staffing are the top barriers their organizations face when addressing cybersecurity challenges. Despite perpetual constraints in cyber resources for state and local governments, organizations can proactively address these barriers. By prioritizing strategic investments and maximizing existing resources, they can enhance their cyber defenses against threats and maximize their return on investment (ROI) in cyber.

Cultural shift: Assume breach mindset
While state and local governments are not mandated to meet a Zero Trust deadline, as required for federal government agencies, there are still proactive steps that they can take to improve cyber defenses and put themselves in a better position to defend against potential cyber threats.

To start, it’s crucial for everyone to adopt an “assume breach” mindset—meaning accepting that breaches are inevitable and that our world is more hyperconnected than ever before. When we typically think of defending against cyber threats, we think of preventing them. However, as our hybrid, hyperconnected world has evolved, prevention can no longer be the only goal, as it is not always attainable in this new threat landscape. As the threat landscape has grown more severe and unrelenting, the goal must take it up a level and ensure critical information remains safeguarded and operations continue in the face of inevitable attacks and breaches.

The crucial need for organizational participation
Similar to federal agencies’ adoption of Zero Trust, the cultural shift of assume breach goes beyond technology implementation, requiring active involvement from SecOps teams to CIOs to the entire C-Suite to prepare for breaches and ensuring operations aren’t impeded. Leadership buy-in and participation is essential for fostering a culture where the priorities include preparing for breaches to ensure operations aren’t impeded, and the organization can respond effectively to cyber threats.

In 2023, state and local governments experienced a significant increase in various types of cyberattacks, including a 148 percent increase in malware attacks, a 51 percent increase in ransomware incidents, and a 313 percent rise in endpoint security services incidents, such as data breaches, unauthorized access and insider threats. Recognizing the severity of these statistics is acknowledging that the responsibility and understanding of cyber threats can no longer fall solely on IT teams. While the IT team is responsible for the actual implementation process of technologies, building cyber resilience and being aware of cyber threats is the responsibility of the entire organization.

The impact of active engagement
Active engagement is integral to organization-wide participation. To adopt an assume breach mindset and make that cultural shift, organizations must also require their entire staff to participate in cybersecurity training continually instead of the annual training that most organizations require. Providing regular training on concepts, such as phishing, ransomware and cloud breaches, to the entire staff enhances their understanding of modern cyber criminals’ tactics, contributing to the prevention of attacks and breaches, and fostering a more cyber-literate environment. It also reinforces the importance of daily cyber hygiene and resilience practices. At the end of the day, it will increase the staff’s awareness of how to identify a potential threat.

To ensure staff remains actively engaged in their trainings, it is crucial organizations establish a system to hold staff accountable if they fail to adhere. Currently, many organizations lack an accountability system for employees who neglect their training responsibilities. Implementing a system, and repercussions, not only holds staff accountable, but it emphasizes the seriousness of trainings and their ability to educate staff on how to detect cyber threats.

As the staff does their part to practice basic cyber hygiene and resilience, CIOs and the IT team can guide them on the importance of cross-organization visibility, strategic asset segmentation, and tools and practices for comprehensive threat modeling and understanding and, most importantly, eliminating the risk of their organization being stagnant in their cyber practices. This shared understanding allows the IT team to propose and embrace a customized strategy aligned with the organization’s specific needs and vulnerabilities.

IT teams can outline the desired outcome of their cyber strategy, such as network visibility, stopping the spread of ransomware and breaches, and improving incident response.

When proposing a customized cyber strategy, the IT team can choose to leverage data from existing technology. Alternatively, they can make the case for an investment in new technology. When they present their customized cyber strategy to leadership, they will have assurance that leadership understands threat vulnerabilities and recognizes the cruciality of having a customized cyber strategy and technology to be effective.

The cyber resilience and ROI journeys
Bad actors are constantly evolving their tactics, but their desired outcomes remain the same: to exploit and disrupt. Embracing an assume breach mindset and fostering active engagement from every level of the organization is essential. As staff continually participates in cybersecurity training, understanding deepens, and an educated cyber environment flourish. IT teams, guiding strategic efforts, can turn concepts into actionable defenses.

The journey toward cyber resilience is ongoing and requires daily participation. As organizations continue to grasp a comprehensive understanding of the importance of organizational participation and active engagement, these actions pave the way for maximizing their ROI in cyber, even with limited resources. As everyone increasingly recognizes the ROI in cyber investments, strategies and involvement, the steps to overcome barriers will fall into place, and cyber resilience practices will come more naturally.

Gary Barlet is the federal chief technology officer at Illumio, where he works with government agencies, contractors, and the broader ecosystem to incorporate Zero Trust Segmentation, or microsegmentation, as a strategic enabler of Zero Trust architecture. He can be reached at [email protected].