Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

How Changes in State CIO Priorities for 2024 Apply to API Security

The National Association of State Chief Information Officers' top 10 list sheds light on where state and local governments need to direct their cybersecurity efforts. Here's what it means for application security.

Joshua Goldfarb, Global Solutions Architect — Security

February 12, 2024

4 Min Read
Business women meeting - talking and working around an office table
Source: incamerastock via Alamy Stock Photo


In a previous column, I discussed how the 2023 edition of the National Association of State Chief Information Officers' (NASCIO) top 10 priorities underscored the importance of securing applications and application programming interfaces (APIs) in complex environments. Now NASCIO has published its "State CIO Top Ten Policy and Technology Priorities for 2024," and while some priorities have held over, there are some noteworthy changes.

  • Identity and Access Management and Cloud Services have moved down in priority from fifth and sixth to eighth and ninth, respectively (though perhaps not for the reasons you might think).

  • Cybersecurity and Risk Management remains the top priority, but Digital Government/Digital Services has moved up into a tie for first.

  • Artificial Intelligence (AI), which didn't even make the top 10 last year, is now the third priority.

  • Legacy Modernization has remained the fourth priority.

Let's roll up our sleeves and dig into these changes a bit. I'm going to look at them with an eye toward API security in particular.

Identity and Access Management & Cloud Services Fall — but Why?

Identity and Access Management (IAM) and Cloud Services moved down three rungs in priority. This may not be because the technologies are suddenly less important, though — they might simply have integrated more deeply into today's environment.

To me, it seems that they form a vital part of the two priorities tied for first — Cybersecurity and Risk Management and Digital Government/Digital Services — as well as Legacy Modernization.

In other words, state and local governments may have already done significant work on IAM and cloud services, which they build on to meet higher priorities on this list. If that is the case, the change in priority this year very much makes sense.

Cybersecurity & Risk Management Joined at the Top by Digital Government/ Digital Services

Infrastructure has become significantly more complex and distributed over time. Many enterprises are adding more cloud environments, which bring with them additional complexity.

At the same time, increasingly digital-savvy constituents have come to expect more from the state and local governments that serve them. Unfortunately, the force that drives governments to deliver cutting-edge digital functionality is the same force that may introduce additional risk — the need for speed.

Digital Government/Digital Services creates a need for a distributed cloud capability to simplify complexity and to manage and secure digital assets. In this environment of increased complexity and demand, attacks against applications have continued to increase, including attacks against APIs. Attackers have become wise to the fact that pressure to innovate and to better serve constituents has created an API-driven world. Not surprisingly, attackers are looking to capitalize on this.

Addressing constituent expectations with the expected alacrity means that, in some cases, applications and APIs may not be properly developed, managed, inventoried, and secured. While there are multiple ways to address this risk, the ability to create and enforce security policy uniformly across development, deployment, and operation is one of the main methods. So is the ability to discover and secure APIs.

Artificial Intelligence Makes a Strong Debut

If you haven't heard tons of buzz around AI lately, you might be living under a rock. In all seriousness, despite the hype, AI has some real applications — and consequences — for state and local governments.

On the attacker side, AI makes the threat landscape quite a bit broader by introducing new and novel ways in which cyber criminals can increase both the sophistication of their attacks and the speed at which they develop their attacks. On the defensive side, AI provides opportunities to improve and augment detection and mitigation capabilities.

One thing is certain, though: AI is a technology that needs to be applied to specific problems in order to be used successfully. This requires that state and local governments have an AI strategy that helps them explore how best to defend themselves against AI-based or AI-augmented attacks, as well as how to leverage AI internally to solve specific security problems or to better mitigate risk.

Legacy Modernization Remains a Concern

State and local governments continue to strategically migrate applications and APIs to the optimal environments. What the optimal environment is may vary, of course. Sometimes the migration may be from on-premises to public cloud. In other cases, it may be from on-premises to a private cloud/data center. In some cases, the migration may even be back to on-premises from the public cloud.

Regardless of which applications and APIs are heading to what environments, legacy modernization is well underway. The mix of environments that results will need to be properly managed and secured, no matter its complexity. Given this, it makes sense that Legacy Modernization remains a top priority this year.

Why Applications and APIs Are Central

Topics of interest and priorities shift from year to year in many sectors, and state and local government is no exception. One thing that remains constant, though, is that the top priorities need to cover the security of applications and APIs.

Governments must be prepared to deal with the complexity, as well as the management and security responsibilities, that come with the modern infrastructures required to support those applications and APIs. The NASCIO top 10 certainly captures that.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights