Category: Budgeting & Resources

Categories
Budgeting & Resources Leadership & Governance

You Paid For The Lock — Now USE IT!

The Gap Between Owning & Fully “Implemented” Cyber Tooling You Already Own

You fought for the budget. You built the business case, presented the risk landscape to leadership, justified every line item, and won cybersecurity funding. New tools were purchased — Identity and Access Management, advanced EDR/XDR, SIEM and more. Boxes checked. Audit requirements are satisfied. A genuine win.

But here is the uncomfortable question nobody asks in the post-purchase debrief: did you actually fully implement them?

Not install. Not license. Implement — fully configured, integrated into your architecture, with every feature activated, monitored and tested. Because there is a dangerous gap between owning a security tool and deriving security from it. And that gap is exactly where attackers live.

Only 14%of organizations are confident they have the people and skills required to meet their cybersecurity needs today — WEF Global Cybersecurity Outlook 2025

The Stryker Wake-Up Call

On March 11, 2026, medical technology giant Stryker suffered a devastating cyberattack that wiped data from thousands of employee and personal devices across 79 offices worldwide. The attackers — an Iran-linked group — did not deploy malware. They did not exploit a zero-day vulnerability. They simply obtained high-privilege administrative credentials and weaponized Microsoft Intune’s Remote Wipe feature, a legitimate IT management tool built for lost or stolen device recovery, to factory-reset tens of thousands of enrolled devices simultaneously.

The lesson is not that Intune is dangerous. The lesson is that privileged access was not properly governed, identity boundaries between on-premises and cloud environments were not enforced, and monitoring either did not exist or did not trigger fast enough. All of these are configuration failures in tools organizations already owned.

The attackers did not break in through a sophisticated exploit. They walked through a door left open by an incomplete implementation.

The Preparedness Gap Is Real — and Growing

The Stryker attack is not an anomaly. It is a symptom of an industry-wide crisis that the World Economic Forum’s (WEF) Global Cybersecurity Outlook 2025 has quantified and it is sobering.

72%of organizations report that cyber risks increased in the past year — WEF Global Cybersecurity Outlook 2025
2 in 3organizations report moderate-to-critical cybersecurity skills gaps, lacking the talent needed to meet their security requirements — WEF Global Cybersecurity Outlook 2025
54%of large organizations cite third-party and supply chain risk management as their biggest barrier to achieving cyber resilience — WEF Global Cybersecurity Outlook 2025
35%of small organizations believe their cyber resilience is inadequate — a proportion that has increased sevenfold since 2022 — WEF Global Cybersecurity Outlook 2025

These numbers describe an industry buying security and not implementing it. Organizations are acquiring the tools, but the talent, architecture, and operational discipline needed to extract full value from those investments is not keeping pace. The result is a fleet of half-deployed, partially configured tools that create a false sense of security while leaving real gaps wide open.

The Agentic AI Threat Multiplier

Attackers are not waiting for organizations to catch up. Generative AI is reshaping the cybercrime landscape at an accelerating pace and the gap between offense and defense is widening.

47%of organizations cite the advance of adversarial AI capabilities — including AI-enhanced phishing, malware development and deepfakes — as their primary GenAI cybersecurity concern — WEF 2025
66%of organizations believe AI will have the most significant impact on cybersecurity in the next 12 months, yet only 37% have processes in place to assess the security of AI tools before deployment — WEF 2025

In an Agentic AI attack scenario where AI autonomously chains together reconnaissance, credential harvesting, lateral movement and execution — a monolithic, single-vendor security stack is a structural liability. If the attacker understands your provider’s architecture better than you do, and your tools are not fully configured, they will find the path of least resistance.

This is not hypothetical. It is the architecture of the Stryker attack, translated into the AI era.

Do You Have the Talent to Use What You Bought?

Before the next purchase order is signed, every security leader, technical and executive alike, should answer these questions honestly:

  • Do we have in-house expertise to fully configure and operationalize the features in our existing tools?
  • Was our tool selection driven by a holistic architecture strategy, or were tools purchased reactively to satisfy an audit requirement?
  • Are all features within our EDR/XDR, IAM, and SIEM platforms fully activated, integrated, and effectively monitored?
  • Do we have unified, normalized logging across every layer of our technology stack feeding a well-configured and monitored dashboard?
  • Is every vendor connection to our environment governed by Zero Trust principles — remote browser isolation, VPN-less access, and Just-In-Time privileged access with approval notification chains configured?

If the honest answer to any of these is ‘no’ or ‘I’m not sure,’ you are not alone — but you are exposed.

A Layered, Heterogeneous Defense: The Architecture That Holds

A monolithic, single-vendor solution may be cost-effective and operationally convenient. But in an Agentic AI threat environment, it is a single point of architectural failure. A breach that understands one vendor’s toolset can traverse your entire environment.

A heterogeneous, layered defense, built intentionally, implemented fully, and integrated across every layer of your stack is a fundamentally different proposition for an attacker. When one protective layer is compromised, the next one holds. The following architecture has proven itself in real-world attack scenarios:

External Perimeter

  • SASE and next-generation firewall with full north-south traffic decryption and inspection and integrated real time defense
  • Advanced API gateways for all internet-facing applications with bot detection and agentic AI defense capabilities
  • All vendor and third-party remote access governed exclusively through remote browser isolation and VPN-less Zero Trust Network Access (ZTNA)

Internal Network

  • Switch-to-switch encryption across internal network segments
  • Micro-segmentation with east-west firewall inspection, full traffic decryption, and XDR/API integration with network admission control policies
  • Patch panel and port-level monitoring via MAC device admission control with logging and firewall integration feeding XDR

Endpoint

  • EDR/XDR deployed with all features fully activated
  • Consider stacking heterogeneous endpoint agents from different vendors — if one provider’s agent is compromised or bypassed, a second independent layer remains active

Identity and Privileged Access

  • Isolate privileged identities: on-premises admins must not carry high-privilege roles in Microsoft 365 or Entra ID — a critical lesson from the Stryker attack
  • Deploy Entra Private Access for Domain Controllers, extending Conditional Access and MFA requirements to sensitive Active Directory operations including LDAP and Kerberos
  • Implement Just-In-Time (JIT) access with approval workflows for all privileged identity management (PIM) accounts
  • Replace manual service account passwords with Active Directory Group Managed Service Accounts (gMSAs)
  • Rotate the KRBTGT password at minimum twice per year; in a breach scenario, rotate immediately — do not wait
  • Restrict all Domain Controller network access; ensure DCs cannot directly reach the internet
  • Audit and enforce strict anomaly monitoring across all security logs

Cloud Security

  • Conduct cloud security posture reviews frequently — cloud providers release new security features continuously; newly available controls should be assessed and implemented as a priority, not deferred
  • Consider disabling Password Hash Sync to keep credential validation on-premises through pass-through authentication or federation
  • All Saas tenant entry points should be isolated to just your agency IP block, with access for remote users only via browser based isolation and ZTNA solutions and fronted by advanced application gateways or proxies
A layered, heterogeneous defense does not require unlimited budget. It requires deliberate architecture and full implementation of the tools you already own.

How to Close the Configuration Gap Without Starting Over

1. Request a Free Implementation Assessment From Your Vendors

Most enterprise security vendors will conduct a complimentary implementation health check if asked directly. They will identify misconfigured features, unused capabilities, and integration gaps. Many will also provide staff education sessions at no additional cost. This is one of the highest-ROI actions available to any security team and it costs nothing but time.

2. Consider an MSP With Cybersecurity Depth

If in-house talent is the constraint — and the WEF data confirms it is for the majority of organizations — a Managed Security Service Provider (MSSP) with genuine cybersecurity staff, 24/7 monitoring capabilities, and a contractual cyber retainer for incident response is not a cost; it is a force multiplier. The right MSSP partner helps you operationalize the tools you already own and ensures that someone is watching when your team cannot be.

3. Build a Unified Visibility Layer

Every device, every endpoint, every cloud workload, every network segment should feed normalized logs into a centralized, well-configured SIEM or XDR dashboard. Visibility gaps are where attackers operate undetected. Unified logging is not glamorous, but it is foundational.

4. Prioritize Identity Above All Else

The Stryker attack was an identity attack. The WEF report confirms that identity theft has become the top personal cyber risk for both CISOs and CEOs in 2025. If you can only harden one area this quarter, harden identity: implement JIT access, enforce MFA everywhere without exception, isolate privileged accounts, and audit every administrative role in both your on-premises and cloud environments.

5. Review Attack Anatomy Regularly

An easy way to have a leg up on all attacks is to regularly review the anatomy of attacks.  This is a free and easy way to identify gaps within your architecture and alerting.  You can implement additional custom alerts from the indicators of compromise you review in attack anatomy, address configuration updates and hardening, and review with your team or your Managed Service Provider.  Attack review should be part of your day-to-day operations.  You cannot protect against what you do not understand.  Also, you cannot harden architecture if you have not operationalized architecture review.

The Bottom Line

The cybersecurity industry has a spending problem masquerading as a security problem. Organizations are acquiring tools at scale while the skills gap required to effectively implement them grows faster than the workforce can fill it. The result is a fleet of expensive, partially deployed technology that creates compliance confidence without creating actual resilience.

The WEF Global Cybersecurity Outlook 2025 reports that 49% of public-sector organizations lack the talent to meet their cybersecurity goals — an increase of 33% in a single year. The private sector is not immune.

The answer is not more tools. It is full implementation of the tools you already own, a deliberate layered heterogeneous architecture designed to survive a breach of any single component, and the operational talent — whether in-house or through a trusted partner — to run it.

You paid for the lock.

Now use it.

About the Author

Eudora Fleischman  |  Infrastructure Architect & Retired CISO Eudora Fleischman is the Infrastructure Architect and Retired with over 31 years of experience in infrastructure architecture, cybersecurity, governance risk, and disaster recovery management and serves as an Advising Member of the Local Government Cybersecurity Alliance.

Sources

World Economic Forum — Global Cybersecurity Outlook 2025 (January 2025, in collaboration with Accenture)

Stryker SEC Filing & Incident Reports, March 2026

Categories
Budgeting & Resources Key Questions for Boards Leadership & Governance Planning & Policy

A Cyber Insurance Briefing for Elected Leaders

In today’s digital landscape, a local government’s data—from citizen records and utility operations to internal communications—is a prime target for cybercriminals. A single ransomware attack or data breach can cripple services, drain resources, and erode public trust.

While strong cybersecurity measures are your first line of defense, Cyber Insurance acts as a crucial safety net, helping your municipality manage the massive financial fallout of a successful attack.

If your village, town, city, county, or public utility is considering or renewing a policy, here is a look at what local governments can expect, the vital differences between what is typically covered versus what isn’t, and the critical questions you must ask your municipality and your broker.

The Six Critical Questions Elected Leaders Must Answer

As an elected leader, your top priority is the continuity of public service and the protection of taxpayer funds. Cyber risk is no longer an “IT problem”—it is a governance and financial crisis waiting to happen. Before you sign a policy, your governing body must confront these fundamental questions about your municipality’s readiness and resilience.

Focus AreaThe Core Question for the Governing BodyThe Bottom Line for Taxpayers
Operational ImpactIf our critical digital systems (email, payroll, utility controls) were locked down by an attack tomorrow, what essential public service would fail immediately?We must know which services—from 911 dispatch to water quality monitoring—are immediately jeopardized. If the lights go out, your response must be immediate.
Downtime ToleranceHow many hours can our municipality sustain a complete disruption of public records and digital services before the damage to the community becomes irreversible?Every hour of downtime multiplies the cost, halts services, and directly erodes public trust. This defines your operational breaking point.
Financial CostWhat is the documented, unbudgeted cost our municipality would face for recovery, separate from any ransom demand?The true expense is in forensic investigation, legal fees, and system restoration. You need a transparent figure on the financial exposure, which often runs into the millions.
Budget ResilienceDo we have an explicitly dedicated and sufficient reserve fund that can absorb an unbudgeted recovery cost of at least $250,000?Most local governments do not. This question forces a review of whether a cyber event would force painful cuts to essential public programs.
Risk StrategyAre we relying only on our technology defenses, or have we established a financial safety net for when those defenses inevitably fail?Technology is a tool, but cyber insurance is the risk transfer mechanism. It is a layer of resilience for a modern public entity.
Governance & AccountabilityWho is the executive-level owner of cyber risk in this municipality, and is a tested incident response plan in place?Cyber risk is a leadership issue. Insurance helps ensure that the highest levels of governance have a clear, tested plan to guide the community through the chaos of a breach.

What is Typically INCLUDED in a Policy?

Cyber policies generally cover three distinct areas:

Coverage AreaWhat is Covered?Examples
First-Party (Breach Response)Who pays the costs for us to recover from the attack?Fees for forensic investigators, legal counsel, system restoration, and paying cyber extortion (ransom) demands (subject to limits).
Third-Party (Liability to Others)Who pays if we get sued or fined for exposing citizen data?Defense costs, settlements, damages from citizen lawsuits, regulatory fines, and costs for notifying all affected individuals.
E-Crime & Financial LossWho pays if a criminal tricks an employee into sending public funds to a fraudulent account?Financial loss from Computer Fraud, Funds Transfer Fraud (e.g., fraudulent vendor invoices), and Social Engineering Fraud.

What is EXCLUDED?

Exclusions can be policy-specific, but there are several common areas where cyber insurance will not provide coverage:

  • Failure to Maintain Minimum Security: Claims can be denied if the breach is traced to your municipality failing to implement a required security measure, such as an unpatched server or not enforcing Multi-Factor Authentication (MFA).
  • Property Damage or Bodily Injury: Physical damage caused by a cyber event (e.g., a hack on a utility system causing a physical failure) may be covered by a General Liability or Property policy, not the cyber policy, unless specifically added.
  • Acts of War or Terrorism: Losses stemming from hostilities or state-sponsored cyber-attacks are often explicitly excluded.
  • Cost of Hardware/Software Upgrades: The policy will pay to restore systems, but generally not for the cost of upgrading to newer technology.
  • Known Vulnerabilities: If a claim arises from a vulnerability your municipality was aware of before the policy inception date, coverage may be denied.

Where Are the Hidden Traps?

The real risk often lies in the fine print. You need to look beyond the general coverage summary and scrutinize the endorsements and warranties within the policy. These items can act as “trap doors” that allow insurers to legally deny a claim.

1. The “Failure to Maintain Security” Clause

This is the most common and dangerous reason for denial today. Many policies contain a clause that makes coverage conditional upon maintaining specific security controls, most notably Multi-Factor Authentication (MFA).

  • The Warranty Trap: If your municipality warrants (guarantees) in the application that 100% of privileged users or remote access points use MFA, and an attack happens through an account that didn’t have it, the insurer may reject the entire claim based on a breach of warranty.
  • The No-MFA Endorsement: A particularly insidious version of this is the MFA Exclusion Endorsement. This endorsement is added to a policy to state that the insurer will not pay any claim that arises from or is attributed to the lack of MFA on specific systems (e.g., all email, remote access, or privileged accounts).
    • What does the No-MFA Endorsement mean for our paid policy? It means you could pay your full premium for a $1 million policy, but if the claim is traced back to a compromised employee email account that lacked MFA, the insurer can legally reject the entire claim. You have the policy, but no coverage for your greatest risk.

Action: Ensure your policy defines required security controls clearly and realistically. If an MFA endorsement is present, treat it as a policy killer unless you are 100% certain every covered access point complies.

2. The Retroactive Date

All policies have a date—the Retroactive Date—before which the insurer will not cover any incident, even if the loss is discovered during the policy period. If a hacker has been in your system for six months and you purchase a policy today, you may not be covered for the full extent of the intrusion. This prevents coverage for “silent data breaches.”

3. The Exclusion for Software/Hardware “Betterment”

After an attack, forensic experts often recommend system upgrades (e.g., replacing an old server or moving to cloud services). Insurers will only pay for the cost of restoring the old system, not the cost of making it “better” or new. Your municipality must be prepared to budget for these betterment costs, which can be substantial and unexpected.

The Six Critical Questions to Ask Your Broker

Cyber insurance should be a true safety net, not a piece of paper. Use these questions to determine if your policy provides the coverage, expertise, and support your community needs.

1. What does the policy cover? What specific security controls are mandatory, and what happens if we fail to maintain them?

Demand a clear list of mandatory controls (like MFA for all remote access). Clarify if non-compliance with a warranty will void the entire policy or only exclude payment for claims related to that specific missing control.

2. What is the annual premium and deductible, and how does this fit our budget risk?

Understand the financial spread: Premiums for municipalities often range from $600 to over $100,000 annually, with deductibles from $1,000 to $100,000. Ensure these costs are sustainable and that the deductible is affordable in a crisis.

3. Does the insurer have demonstrated experience specifically with the public sector?

Government entities have unique challenges: tight budgets, complex regulatory compliance (like state breach laws), and critical services. An experienced insurer will offer tailored coverage that respects these public sector obligations.

4. What loss prevention and risk mitigation services are provided in addition to the coverage?

Look for high-value extras included in the policy: access to incident response hotlines, employee training platforms, vulnerability scans, and tabletop exercises. These proactive services reduce risk and can help lower future premiums.

5. If we report a breach, what is the guaranteed response time, and who is our dedicated contact?

Day to day or in a crisis, you need human support, not an automated line. Ask for a commitment to a response within hours, not days. Confirm you will have access to a cyber specialist or dedicated claims manager or 24/7 breach response team.

6. What is the likely impact of making a claim on our future premiums and coverage availability?

Ask for candor: Will premiums spike after a claim, or will the insurer consider non-renewal? Understanding the long-term relationship ensures you are not penalized for using the safety net you paid for.

Categories
Actionable Steps Budgeting & Resources Cybersecurity Basics Leadership & Governance Planning & Policy Press Release Tools & Guidance

Announcing the Local Government Officials Guide to Cybersecurity

We are thrilled to announce the official publication of a critical new resource: the Local Government Officials Guide to Cybersecurity (LGOGC)!

This project was developed by the Local Government Cybersecurity Alliance (LGCA) specifically to empower elected and appointed officials—from supervisors and council members to city managers and agency heads—to effectively navigate the increasingly complex world of cyber risk.

Moving Beyond the Technical Jargon

Cybersecurity is not just an IT department problem; it is an enterprise-wide, whole-of-government issue that impacts finance, legal compliance, emergency services, and public trust.

The LGOGC cuts through technical jargon to focus on what matters most to community leaders: governance, accountability, and resilience. This guide was truly built by and for local government professionals, ensuring every concept is practical and immediately relevant to your fiduciary duty to protect the systems that serve your communities.

LGOGC Cybersecurity Guide (October 2025)Download

What the Guide Will Help You Achieve

The LGOGC provides a clear, actionable framework to help local leaders translate responsibility into practical action. Inside, you’ll find guidance to:

  • Integrate cybersecurity into your strategic and budget planning.
  • Strengthen oversight and reporting mechanisms.
  • Align your efforts with nationally recognized frameworks, such as NIST CSF 2.0.
  • Build a culture of cyber resilience that spans all departments and elected offices.

Download and Share Your Feedback

We believe that making cybersecurity governance as natural and necessary as financial oversight is achievable in every county, city, town, village, and district. This guide is a huge step toward that goal.

Download the Local Government Officials Guide to Cybersecurity (LGOGC) now.

We invite your feedback! Tell us how your jurisdiction is addressing these challenges and what resources would be most valuable to you next in our community forum or white paper.

Categories
Budgeting & Resources

Risk-Based Prioritization and Investment for Local Government Cybersecurity

Cybersecurity is no longer just a technical concern—it’s a strategic imperative. For local governments, the challenge lies in balancing limited resources with escalating threats. A risk-based approach to cybersecurity investment ensures that spending is aligned with the most pressing vulnerabilities and organizational priorities.

Understanding the Threat Landscape

Boards and councils must be regularly briefed on the evolving threat landscape. This includes identifying threat actors—such as cybercriminals, nation-state actors, and insiders—and understanding the types of attacks they may launch, from ransomware and phishing to denial-of-service and supply chain exploits. Management should assess the potential impact of these threats on operations, finances, and public trust.

Conducting Risk Assessments

A formal risk assessment report should be presented at least annually. This report must:

  • Identify key cyber risks.
  • Evaluate the likelihood and impact of each risk.
  • Describe existing controls and mitigation strategies.

This process helps prioritize investments and ensures that cybersecurity efforts are focused on the most critical areas.

Ensuring Compliance

Boards must be kept informed about the organization’s compliance with relevant regulations, frameworks (e.g., NIST CSF), and best practices. Annual updates should include:

  • A summary of compliance status.
  • Identification of gaps or deficiencies.
  • An action plan to address issues.

This transparency supports accountability and helps align cybersecurity with legal and regulatory obligations.

Incident Response Planning

Management should report on the organization’s incident response capabilities, including:

  • Recent incidents and how they were handled.
  • Lessons learned from internal and external events.
  • Updates to the incident response plan.

Effective incident response planning includes defined roles, escalation paths, and playbooks for common scenarios like ransomware or data breaches.

Promoting Cybersecurity Awareness

Cybersecurity is everyone’s responsibility. Boards should receive updates on awareness programs, including:

  • Training participation rates.
  • Results of phishing simulations.
  • Cultural initiatives to foster security-minded behavior.

Evaluating the effectiveness of these programs helps identify areas for improvement and reinforces a proactive security culture.

Budget and Resource Allocation

Cybersecurity budgets must be clearly communicated to decision-makers. Reports should include:

  • Budget comparisons with peer organizations.
  • Allocation breakdowns.
  • Identified constraints and funding needs.

This ensures that financial decisions are informed by risk exposure and strategic priorities.

Using Security Metrics to Drive Decisions

Metrics should be relevant, concise, and actionable. Key metrics include:

  • Number of Security Incidents: Tracks frequency and severity.
  • Mean Time to Detect (MTTD): Measures detection speed.
  • Mean Time to Respond (MTTR): Assesses response efficiency.
  • Vulnerability Management: Tracks identification and remediation.
  • User Awareness: Evaluates training effectiveness.
  • Compliance Metrics: Monitors adherence to standards.

These metrics should be presented in a format that enables discussion and supports strategic decision-making.

Balancing Spending with Risk

A risk-based investment strategy helps prioritize cybersecurity initiatives based on threat likelihood and impact. This approach avoids overspending on low-impact risks and ensures that resources are directed toward protecting high-value assets. Boards should understand the methodology behind budget decisions and how spending aligns with risk management goals 

Categories
Budgeting & Resources

Justifying Cyber Investments: A Guide for Municipal Leaders

Cybersecurity expenditures—whether for infrastructure, software, or third-party services—must be justified, transparent, and aligned with public accountability. For local governments, this isn’t merely an IT budget line item; it’s a strategic investment in public trust, operational continuity, and the resilience of essential services.

Cybersecurity as a Public Trust Investment

Local governments face increasing pressure to defend against cyber threats while maintaining transparency and fiscal responsibility. Cybersecurity is not just a technical expense—it’s a strategic pillar of modern governance. Embedding cybersecurity into public service delivery ensures reliability, equity, and trust in digital government systems.

Building the Business Case

To ensure responsible governance, local leaders must establish robust processes for approving cyber investments. This begins with requiring formal business cases for major IT projects. These cases should clearly tie spending to specific service outcomes and demonstrate how the investment supports continuity, compliance, and risk reduction.

Departments should ask key questions when considering technology procurements—such as how the technology will be used, where data will be stored, and what laws govern its protection. These considerations help frame cybersecurity as an enterprise risk, not just an IT concern.

Governance and Oversight

Typically, the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) presents the business case for recommended solutions. The Board’s role is to evaluate whether the proposed spending is justified and defensible, particularly under public scrutiny. This includes assessing proposed projects within an annual budget and ideally incorporating a 3–5 year roadmap of IT initiatives, each linked to a specific business objective and budget.

Enterprise Governance of Information and Technology (EGIT) ensures that technology delivers value while managing digital risks.

Procurement Integrity and Transparency

Before granting approval, it’s crucial to address potential conflicts of interest and ensure a formal Request for Proposal (RFP) process has been followed. Policies should also outline how cost overruns or emergency funding requests will be handled, maintaining transparency and control.

Municipalities renewing cyber insurance must submit formal applications and may access complimentary services like phishing simulations and incident response planning. This reinforces the need for structured, policy-driven procurement and renewal processes.

Funding Opportunities

Encouragingly, federal and state support is growing. The Department of Homeland Security recently launched over $100 million in funding to strengthen community cyber defenses through the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP). These grants support planning, hiring, and service improvements—critical for smaller municipalities with limited budgets.

Tips for Local Leaders

Here are actionable steps to help municipalities secure and manage cyber expenditures:

  1. Develop a Cybersecurity Roadmap
    Include a 3–5 year schedule of IT initiatives with clear objectives and budget estimates.
  2. Use Templates and Guides
    Leverage resources from the Local Government Guide to Cybersecurity to standardize risk assessments, asset inventories, and incident reporting.
  3. Engage Stakeholders Early
    Include elected officials, department heads, and community representatives in cybersecurity planning to build consensus and transparency.
  4. Monitor Regulatory Changes
    Stay informed about mandates (e.g., requirements for annual cybersecurity training for municipal employees).
  5. Apply for Federal Grants
    Visit CISA’s cyber grants portal to explore funding opportunities.
  6. Track Insurance Requirements
    Ensure compliance with cyber insurance applications and renewal protocols.

Cybersecurity is a shared responsibility and a strategic priority. By embedding it into governance, budgeting, and procurement processes, local governments can build resilient digital ecosystems that protect public services and earn community trust. As stewards of public resources, elected officials must champion cybersecurity not just as a technical safeguard, but as a cornerstone of modern governance.

Categories
Budgeting & Resources

Structuring Your Cyber Budget: Capital vs. Operational Spending in Local Government

Cybersecurity is no longer a discretionary expense—it’s a strategic necessity. But for many local governments, structuring a cybersecurity budget can be challenging. Understanding the difference between capital and operational expenditures is key to building a sustainable and effective cyber program.

Cyber budgeting isn’t just about how much you spend—it’s about how you allocate resources to protect systems, respond to threats, and build long-term resilience.

Capital vs. Operational Cyber Spending

Capital Expenditures (CapEx) refer to long-term investments in infrastructure and assets. In cybersecurity, this might include:

  • Network hardware and firewalls
  • Security software licenses with multi-year terms
  • Data center upgrades
  • Endpoint protection platforms
  • Cloud migration projects

These are typically one-time or infrequent purchases that support strategic goals and are depreciated over time.

Operational Expenditures (OpEx) cover the day-to-day costs of running cybersecurity operations. These include:

  • Staff salaries and benefits
  • Managed security services
  • Threat monitoring and incident response
  • Training and awareness programs
  • Subscription-based security tools
  • Insurance premiums

OpEx is recurring and reflects the ongoing effort to maintain and improve security posture.

Cost Comparison and Budget Planning

When comparing CapEx and OpEx, consider the following:

CategoryCapital (CapEx)Operational (OpEx)
TimeframeLong-term investmentRecurring expense
ExamplesFirewalls, servers, multi-year licensesStaff, training, monitoring services
Budget ImpactOne-time cost, depreciated over timeAnnual or monthly cost
FlexibilityLess flexible, tied to procurement cyclesMore adaptable to changing needs
GovernanceOften requires board or council approvalManaged through departmental budgets

A balanced cyber budget should include both types of spending. Capital investments build the foundation, while operational spending keeps defenses active and responsive.

Strategic Considerations

  • Lifecycle Planning: Capital investments should be paired with operational support. For example, purchasing a new firewall (CapEx) requires ongoing monitoring and maintenance (OpEx).
  • Risk-Based Prioritization: Budget decisions should be guided by risk assessments. Focus spending on the most critical assets and threats.
  • Scalability: Cloud-based tools and managed services offer scalable OpEx models that can grow with your organization.
  • Transparency: Clearly distinguish CapEx and OpEx in budget documents to support oversight and accountability.

Best Practices for Cyber Budget Structuring

  • Conduct annual reviews of cyber spending and outcomes.
  • Align budget categories with cybersecurity frameworks (e.g., NIST CSF).
  • Include cybersecurity in capital improvement plans.
  • Use cost-benefit analysis to justify major investments.
  • Ensure funding supports both prevention and response capabilities.

Structuring your cybersecurity budget is about more than numbers—it’s about strategy, sustainability, and resilience. By understanding the roles of capital and operational spending, local governments can build smarter budgets that protect their communities and adapt to evolving threats.

Categories
Budgeting & Resources

Cybersecurity as Risk Avoidance: Investing in Protection, Preserving Public Trust

Cybersecurity is often viewed as a cost center—an expense that competes with visible service improvements or infrastructure upgrades. But this perception overlooks the true value of cybersecurity: its ability to prevent catastrophic losses. For local governments, where public trust and service continuity are paramount, cybersecurity investments should be understood through the lens of risk avoidance.

The Cost of Inaction

A single cyberattack can trigger a cascade of financial and operational consequences, including:

  • Service disruptions that halt public operations.
  • Emergency response costs for containment and recovery.
  • Increased insurance premiums following a breach.
  • Lower credit ratings due to perceived instability.
  • Regulatory fines for non-compliance.
  • Reputational damage that erodes public confidence.

These impacts often far exceed the cost of proactive cybersecurity measures. Preventing even one incident can save millions and preserve the integrity of public services.

Measuring ROI Through Risk Avoidance

Traditional return on investment (ROI) metrics don’t always apply to cybersecurity. Instead, value is measured by what doesn’t happen—breaches avoided, downtime prevented, and trust maintained. This shift in perspective helps leaders prioritize cybersecurity as a strategic investment rather than a discretionary expense.

Spending Wisely vs. Spending More

Importantly, a larger cybersecurity budget does not automatically translate into better protection. In some cases, higher spending may reflect:

  • A larger digital footprint.
  • Redundant or misaligned tools.
  • Inefficient resource allocation.

The true measure of cybersecurity effectiveness lies in how resources are used, not just how much is spent. Smart investments focus on outcomes—such as improved resilience, faster recovery, and reduced exposure—not just line items.

Key Factors for Cybersecurity Success

To maximize the value of cybersecurity investments, local governments should focus on:

  • Strong governance and executive oversight to align strategy with risk.
  • Clear staff roles and accountability across departments.
  • Ongoing training and awareness to reduce human error.
  • Risk-informed decision-making that prioritizes critical assets.
  • Operational resilience and recovery capabilities to minimize downtime.

These elements ensure that cybersecurity is embedded into daily operations and long-term planning.

Sector-Specific Risks

The severity and impact of a cyberattack vary depending on the environment. In sectors where operational technology (OT) is critical—such as public utilities, transportation, or emergency services—cyber incidents can trigger:

  • Physical service outages.
  • Safety risks for residents.
  • ESG (Environmental, Social, and Governance) concerns.
  • Credit downgrades and financial instability.

These risks are often more complex and far-reaching than those associated with traditional IT systems, making risk avoidance even more critical.

Cybersecurity is not just a technical safeguard—it’s a strategic shield. By investing in risk avoidance, local governments can protect their most valuable assets, maintain public trust, and ensure continuity of service. The question isn’t whether cybersecurity is worth the cost—it’s whether your community can afford the cost of not investing.

Categories
Budgeting & Resources

Cybersecurity Financing: Risk-Based Budgeting for Local Governments

Why risCybersecurity is no longer just a technical line item—it’s a strategic investment in the continuity, safety, and trustworthiness of public services. Yet for many local governments, financing cybersecurity remains a challenge. Limited budgets, competing priorities, and rising threat levels create a complex environment for decision-makers.

To navigate this landscape, municipalities must adopt a risk-based approach to cybersecurity budgeting—one that aligns spending with the potential impact and likelihood of threats.

Why Risk-Based Budgeting Matters

Local governments operate under tight financial constraints, but the risks posed by cyber threats continue to escalate. A reactive or ad hoc approach to cybersecurity spending can leave critical systems exposed while wasting resources on low-impact threats.

Risk-based budgeting helps leaders:

  • Focus resources on the most critical vulnerabilities.
  • Avoid overspending on non-essential tools or services.
  • Align cybersecurity investments with broader public service goals.

Understanding the full financial exposure to cyber risk—including direct costs (e.g., legal fees), indirect costs (e.g., reputational damage), and insurance implications—is essential for informed decision-making.

Key Components of Cybersecurity Financing

1. Centralized and Intentional Budgeting

Cybersecurity should be treated as an enterprise-wide priority. Budgeting must be centralized to ensure consistency, accountability, and strategic alignment across departments.

2. Formal Business Cases

Major cybersecurity expenditures—such as infrastructure upgrades or third-party services—should be justified through formal business cases. These cases should tie spending to specific service outcomes and risk reduction goals.

3. Procurement and Policy Alignment

All cybersecurity purchases must follow established procurement policies and be aligned with public accountability standards. Transparency in vendor selection and contract terms is essential.

4. Cost Exposure Analysis

Local governments should assess the full financial impact of potential cyber incidents. This includes:

  • Direct Costs: Remediation, legal fees, fines.
  • Indirect Costs: Reputational damage, service disruption.
  • Insurance Costs: Premiums and post-incident rate increases.
  • Infrastructure Investments: Ongoing upgrades to secure systems.
  • Incident Response: Emergency teams, forensic investigations.
  • Credit Rating Impact: Potential increases in borrowing costs 2.

Best Practices for Trustees and Budget Officers

  • Require annual reviews of cybersecurity spending and outcomes.
  • Include cybersecurity in capital planning and long-term financial forecasts.
  • Conduct tabletop exercises to test financial readiness for cyber incidents.
  • Ensure that cybersecurity insurance coverage is adequate and up to date.

Cybersecurity financing is not just about protecting data—it’s about protecting the public. By adopting a risk-based budgeting strategy, local governments can make smarter investments, reduce exposure, and build more resilient communities.

Categories
Actionable Steps Budgeting & Resources

Barriers & Gaps in Local Government Cybersecurity

Cybersecurity is no longer a niche concern—it’s a foundational element of public service delivery. Yet many local governments remain vulnerable to evolving threats due to persistent and interconnected barriers. These challenges—funding, staffing, leadership, and awareness—are often treated as separate issues, but in reality, they reinforce one another. Addressing them holistically is key to building resilient, secure communities.

Insufficient Funding

Limited budgets continue to be one of the most cited reasons municipalities lag in cybersecurity. In many cases, cybersecurity is still viewed as an optional add-on rather than a core infrastructure investment—like roads, water systems, or emergency services.

This mindset must change. Cybersecurity protects the digital infrastructure that underpins nearly every public function, from permitting and payroll to emergency alerts and public records. Without adequate funding, municipalities are forced to rely on outdated systems, under-resourced teams, and reactive strategies. Treating cybersecurity as infrastructure—and funding it accordingly—is essential to long-term resilience.

Workforce Shortages and Skills Gaps

The global shortage of cybersecurity professionals affects every sector, but local governments are especially hard-hit. They often struggle to compete with private-sector salaries and benefits, making it difficult to attract and retain qualified talent.

Beyond staffing numbers, there’s also a skills mismatch. Many existing employees lack the specialized training needed to respond to modern threats like ransomware, phishing, and cloud vulnerabilities. Upskilling staff is critical—but training budgets are often limited or nonexistent.

To address this, municipalities must invest in local talent development, create career pathways in cybersecurity, and explore regional partnerships to share expertise and resources.

Leadership Engagement and Misunderstandings

Cybersecurity is not just an IT problem—it’s a strategic leadership issue. Yet many local leaders still view it as something technical staff handle in isolation. This disconnect can lead to blind spots in governance, leaving agencies exposed to preventable risks.

When cybersecurity is underestimated, the consequences are severe: halted services, lost public trust, and costly recovery efforts. Embedding cybersecurity into executive decision-making—through regular briefings, cross-departmental coordination, and clear accountability—is essential.

Leaders must understand that cyber risk affects every aspect of public service, and their engagement is critical to building a culture of security.

Expanding Attack Surfaces

The shift to remote work, cloud-based tools, and mobile access has dramatically expanded the threat landscape. Traditional network boundaries no longer apply. Every laptop, smartphone, and remote login is now a potential entry point for attackers.

This decentralization makes it harder to monitor activity, enforce policies, and respond to incidents. Municipalities must rethink their security architecture to account for this new reality—implementing endpoint protection, multi-factor authentication, and continuous monitoring across all devices and platforms.

These barriers are not insurmountable—but they require coordinated, strategic action. When funding improves, staffing can follow. When leadership engages, awareness grows. When cybersecurity is treated as infrastructure, resilience becomes possible.

Local governments must move beyond reactive fixes and embrace a governance model that integrates cybersecurity into every decision. The risks are real—but so are the opportunities to build safer, smarter communities.