As we wrap up another October of cybersecurity-related content, it should be noted that for many government IT leaders every month feels like Cybersecurity Awareness Month—and has for the last decade at least.
The past 12 months have been particularly challenging, given that ransomware attacks doubled against public institutions, cyber insurance premiums have risen dramatically while coverage limits have been severely cut, and we witnessed something almost unthinkable when even local governments were impacted through supply-chain attacks most exemplified from Kaseya customers. This is where cybercriminals find a way to penetrate a cyber services company and surreptitiously gain access to all its customers most trusted addresses.
Further complicating the situation is the increasing demand for experienced cyber tech employees—local governments are having an especially difficult time attracting such talent. Surprisingly, it appears that money is no longer the largest stumbling block, as has been reported in the recent past. Today, cybersecurity candidates are increasingly seeking quality of life factors that include working from anywhere, working non-standard hours, and requiring more health and wellness benefits. Senior tech staff have expressed their frustration from what many are referring to as “pandemic burnout: and are simply retiring or moving to completely different jobs and professions.”
All of this serves as the backdrop to CompTIA’s Public Technology Institute’s (PTI) 2021 National Survey of Local Government Cybersecurity and Cloud Initiatives. The purpose of the survey was to provide a snapshot of cybersecurity programs, issues and priorities in cities and counties. The survey looked at budgeting, policies and procedures, access management, cyber insurance, leadership support, and more.
The findings confirm that a wide variety of management and policy issues are impacting the cybersecurity posture for many local governments:
- Engaging leadership on cybersecurity remains a vexing issue for many IT organizations
- Despite a budgeting uptick for cybersecurity programming, thanks to federal stimulus support, a majority of IT executives feel cyber funding is still inadequate
- Cyber insurance rates are rising (and coverage limits are declining)
- The number of organizations that have implemented policies to better manage mobile devices have increased from last year
- IT executives feel a high level of satisfaction when it comes to security protocols implemented by their network service providers
The past 20 months have been a particularly trying time for the local government community: Add to the health and societal impact of the pandemic on our communities and organizations, city and county IT had to quickly ramp up and provide government services via a vastly expanded remote work environment – for the most part, implemented effectively and securely.
Many of the band-aid approaches local governments had undertaken are now becoming more formal and strategic. Continuing this positive note, local governments are implementing new tech-related programs and initiatives as a result of the federal American Rescue Plan Act, and many are using this funding to enhance cybersecurity programs.
As mentioned earlier, public sector IT organizations are struggling with staffing and resource issues—some are calling it the “Great Resignation”—similar to how we referred to the “Great Recession” of a decade ago as staff leave local government IT positions. This provides a positive opportunity to explore apprenticeship programs, resource sharing and public-private initiatives which CompTIA-PTI strongly encourages. Many local government tech leaders are dismayed at some senior managers trying to revert to how things were done before the pandemic—such as requiring staff to be physically present in the office, and to abandon emergency workarounds that allowed for IT employees to work virtually. Some local governments were able to fill positions with highly qualified staff that lived out of state. Now however, there appears to be a pullback and return to pre-pandemic rules and regulations.
Given the search to keep and attract tech talent, local governments find themselves in an increasingly hostile cyber environment and are more susceptible than ever to cyber threats.
Engaging Leadership: Building Cyber Champions
Engagement of elected leaders regarding cybersecurity continues to be somewhat of a struggle for local government IT executives, with 73% of respondents stating that their leaders are just somewhat engaged (51%) or not engaged (22%) with their organizations’ cybersecurity efforts.
Effective engagement is important: The more familiar that elected leaders and senior managers are with cyber operations, governance, priorities, threats, and their organization’s cyber strategy is essential towards the support in making important budgetary as well as broader policy decisions.
Budgeting and Resource Allocation
In the report, 58% of IT executives stated they felt that their organization’s cybersecurity budget is not adequate to support security and cloud initiatives. While still a worrisome concern, this is an improvement from the 2020 survey, when 64% of executives felt that their budget was not enough.
Beyond the survey, PTI members inform us that some federal funding is being specifically directed towards network monitoring and replacement of aging and hard-to-secure digital infrastructure.
Cyber Insurance: Managing Risk
Meanwhile, 90% of respondents said that their organization has cybersecurity insurance—this is the good news. In the last year we have witnessed insurance policies increasing in complexity with more stringent procedures to adhere to in order to get considered for coverage. This could be why only 23% of IT executives said they are completely familiar with their insurance policy requirements and procedures to immediately follow in the event of a breach or incident; 65% are somewhat familiar with their policy requirements and 12% are not at all familiar with their policy requirements.
The Future Direction of Managed Services
Also, 26% of IT organizations relying on a managed service provider for IT services said that they are satisfied with the security protocols for the service providers of their networks. Meanwhile, 36% are somewhat satisfied, 30% are neutral (neither satisfied nor dissatisfied), and 3% are dissatisfied.
Based on dozens of in-depth discussions with tech leaders PTI believes more city and county governments will ultimately turn to managed serve providers given the challenges in attracting and maintaining competed IT staff – let alone the costly burdens of supporting legacy systems.
Cloud Initiatives: A Necessary Direction
When it comes to cloud computing, 31% of IT executives said they are planning for a substantial cloud implementation in the next 12 months, while 27% s said they are already using cloud.
For those planning or already using cloud, the top five areas of investment are, in order: website hosting, internal operations (email, calendars, communication, etc.), data backup and recovery, data storage, and device management.
The most prominent cloud applications are information technology, web hosting, human resources, finance, code enforcement, and community engagement. Among the primary benefits IT executives have either experienced, or expect to experience with cloud computing, are: Enabling employees to work remotely more effectively, enabling citizens to better interact with government, and improvements in inter-department connectivity and communication.
IT Leaders are Hopeful, Looking for More Progress
Local government IT leaders remain hopeful—especially since there are more federal resources to either supplement current operations or to go beyond with equipment modernization and broadband deployments aimed at better serving citizens. Should the much talked about Infrastructure Bill become law, local governments along with their respective states can expect additional and historic support for cyber initiatives.
The job of protecting our technology and telecommunications infrastructure have become more complex and difficult. Local governments are struggling to keep and attract cyber professionals. We look forward to continued progress on all cybersecurity fronts as CompTIA and PTI have taken a holistic approach towards providing meaningful assistance.
The 2021 National Survey of Local Government Cyber Security and Cloud Initiatives is available here.
Dr. Alan R, Shark is the executive director of CompTIA’s Public Technology Institute (PTI).