Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

How States Help Municipalities Build Their Cyber Defenses

State CISOs and cybersecurity task forces are grappling with the best ways to use federal grant money to keep their citizens safe online.

Stephen Lawton, Contributing Writer

December 20, 2023

5 Min Read
View of a settlement nestled into the badlands of Medora, North Dakota, USA
Source: Image Professionals GmbH via Alamy Stock Photo

As CISO for the state of North Dakota, Michael Gregg says that one of his first duties was meeting with the North Dakota Insurance Reserve Fund (NDIRF), a nonprofit organization that provides risk and insurance services to the state's political infrastructure. At the time, NDIRF offered a 4% insurance discount to any municipality, agency, or other entity that first implemented endpoint detection and response, antivirus, and security awareness training.

Allocating funds from grants to implement these cybersecurity controls would reduce cyber insurance costs for municipalities, schools, hospitals, and other government agencies and facilities. That lets the state create long-term cost savings while frontloading the costs of implementation. Setting up a security system that does not rely on heavy funding after grants dry up is essential, Gregg says.

States are exploring new methods to provide security resources to their local organizations and citizens. To help, the US Infrastructure Investment and Jobs Act (IIJA) of 2021 established the State and Local Cybersecurity Grant Program (SLCGP). This year's $375 million in SLCGP funding is driving innovation, and today more than 30 states have cybersecurity task forces. The challenge state CISOs and task forces face is using their funding wisely — i.e., not building infrastructures with long-term obligations that outlive federal grants.

States + Other States

While Gregg says he gets quality threat intelligence from the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC), he appreciates the nonfiltered data he receives from talking directly with other state CISOs about their experiences. Picking up a phone and talking to another state CISO is faster and provides more actionable data, he says.

Jeff Brown, CISO for the state of Connecticut, agrees. While Connecticut leverages free MS-ISAC tools and services throughout the state, such as implementing the Malicious Domain Blocking and Reporting (MDBR) tools, jointly developed by CISA and Akamai, Brown also is a fan of talking directly to colleagues. He shares and obtains threat intelligence generated within the state with other CISOs.

"The cross collaboration is unbelievably good," Brown says. Unlike commercial ISACs, such as the financial services ISAC, the members of the MS-ISAC are not in competition with each other.

"We can share very, very candidly with each other in terms of what's working and what's not working," he says. "And we don't have to sanitize it too much."

Brown notes that he does not have the authority to force municipalities and other local and regional governmental bodies to take specific security actions. However, by offering support, tools, and guidance to the many entities in Connecticut, many in rural areas, he can facilitate cybersecurity improvements that ultimately help secure key resources and operations.

The state's CISO office doesn't have access to the various communities' or local agencies' environments, so those groups have to do their own IT work, Brown says.

"The easier we can make it, the more we can remove the friction, and make services easy to say yes [to]," the more secure the communities will be, he says.

States + Vendors

"Cybersecurity is a team sport [that] requires innovative approaches and collaboration on operational strategies between the public and private sectors," says Craig Harber, security evangelist at Open Systems. "The public sector would benefit from greater awareness and visibility into cybersecurity risks across US networks provided by the private sector, and the private sector would benefit from advisories, resources, and notifications of potential and existing threats provided by the public sector."

To help with this alliance, Minnesota is setting up agreements with vendors to provide security tools to local operations to make the federal grant funding go further, says Michael Porier, managing director at the consulting firm Protiviti. These agreements allow states to provide tools that the smaller governmental entities might not otherwise have, he says.

There is no obligation to use these tools, but the municipalities get them for free or at highly discounted prices. Another benefit of the state-vendor relationship, Porier notes, is that the tools are vetted to ensure they work well together, so the community doesn't end up with a collection of products that require very expensive integration.

States + Staffing

A major issue for the public sector is finding trained staff who are willing to take less money than they'd get at comparable private-sector positions.

"If they could do just the basic blocking and tackling and do it well, it would cover 90% of the key threats that are out there," Porier says.

Jonathan Trull, CISO and senior vice president of security solutions architecture at Qualys, worked with Colorado state officials and the state's cybersecurity task force to fill the talent gap. One tactic the state used was developing programs to recruit and train nontraditional cyber talent to help place them with one of the local entities.

"There were boot camps that we would partner with in the state that would, for example, take someone out of the military, and instead of going to college for four more years, you could get the basic skills from a boot camp," Trull says. "We would then reach out to our contacts in local government and let them know we had a great network engineer who's looking for their first job."

Internships at the state were also made available to help some candidates gain six months of practical experience, he adds.

"If there wasn't a job available at the state, we'd try to look for a role within one of the participating counties or governments," Trull says. "That's one of the most impactful things you can do."

About the Author

Stephen Lawton

Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights