2023-2024 SLED Cybersecurity Priorities Report
Research that highlights the specific needs, priorities, challenges, and trends influencing leaders in state, local government, and education sectors.
No time to read? Download it and take it with you!
We're all part of SLED, but each of us has unique needs and challenges.
While SLED (State, Local, Education) is a useful classification for public-serving entities, it's crucial to recognize the significant differences between the groups within this category.
State and local government encompass a wide range of entities, including state-level agencies like the Department of Motor Vehicles, municipal agencies like police departments, K-12 schools, public colleges and universities, public utilities, and more. While these organizations are often grouped under the SLED umbrella, our experience and research in this report highlight the need to address the unique challenges of each group by recognizing their distinct characteristics.
Welcome to the 2023-2024 SLED Cybersecurity Priorities Report
A message from Curt Wood, Executive Director of the SLED Cybersecurity Priorities Report.
It is a privilege to collaborate with the contributors and collectors of the insights within this report. This report is created and designed to provide support for your cybersecurity initiatives. The report also aims to raise awareness of the unique challenges faced by SLED leaders like you that protect systems and services we all rely on.
During my time as CIO for the Commonwealth of Massachusetts, I was fortunate to have the backing of other executive officers and legislators who understood the need for resiliency. The programs my team championed—and described in last year’s CPR—continue to evolve and improve, to the credit of the current leaders. We all thrive when we share our successes and our concerns. The openness of our community often separates it from similar teams in more competitive commercial environments.
It is rewarding to lead the content strategy and outreach for this year’s report. As Executive Director of the report, I hope that the information will be useful to you in the coming year. I also hope that you will reach out to me, and to the CPR team, with your feedback, stories, and input into next year’s strategy.
Thank you for all that you continue to do to protect our communities.
Strategies for implementing Whole-of-State cybersecurity
The main goal of Whole-of-State (WoS) cybersecurity is to bridge the gap in expertise and resources at the local level by creating a unified strategy that addresses cybersecurity risks across various state departments and agencies. By sharing threat intelligence, best practices, and resources, entities can more effectively identify and respond to emerging threats. A collective defense approach strengthens the entire network, improving the security posture of each organization as the collective defense grows. Organizations that collaborate for unified defense inherently become safer.
Benefits of WoS cybersecurity for SLED
Adopting a WoS approach can strengthen and enhance cybersecurity infrastructure across state and local government and the education sector. A report examining WoS cybersecurity implementations notes that in one state, “The CIOs agree that a cooperative approach is the best way to ensure an adequate defensive posture across disparate state and local entities, where the availability of skills and resources can vary widely.”
The collective purchasing power of a collaborative approach allows participating organizations to access better and more effective cybersecurity tools. Consistently deploying the same solutions across the board helps simplify and reduce complexity.
Information sharing and collaboration between state agencies, departments, and educational institutions are key benefits of WoS cybersecurity. This approach leads to more efficient resource use and better coordination across entities. By exchanging situational awareness and threat intelligence, organizations can quickly and effectively identify and respond to cybersecurity threats.
One of the biggest benefits from a Whole-of-State program is the increased breadth of data collection. Data collection is the foundational element of data analytics, which drives much of data security.
"In a strong Whole-of-State program, you can collect data in a way that ensures uniform standards, no matter where it resides. This creates an opportunity to conduct more reliable and effective analysis with that data," says Tina Carkhuff, Industry Advisor at Guardsarm and former CIO of the City of Houston.
Risk awareness, management, and mitigation are strengthened through WoS. This is achieved by adopting a coordinated, comprehensive approach to risk management, which aids in identifying, prioritizing, and developing effective strategies to mitigate cybersecurity risks.
A WoS strategy also enhances compliance with regulatory standards. Many states, local governments, and educational institutions must adhere to various cybersecurity regulations. WoS cybersecurity supports compliance by fostering a coordinated, unified approach, without compromising the specific compliance needs of individual agencies.
For more information on the benefits and challenges of a WoS cybersecurity, download the 2023-2024 SLED CPR.
Strategies for implementing WoS cybersecurity
A crucial strategy for implementing WoS cybersecurity is to create a governance framework that defines the roles and responsibilities of state agencies, departments, educational institutions, and private sector partners, along with the policies and procedures for information sharing and collaboration.
Another key component of the WoS strategy is developing an integrated cybersecurity approach. This approach involves a collaborative effort that includes shared situational awareness, common threat intelligence, and unified risk management, along with a standardized incident reporting and response framework. A clear cyber incident response playbook, outlining incident management protocols, is essential for coordinating responses across different agencies, jurisdictions, and locations.
Creating a cybersecurity-aware culture is crucial for WoS implementation. This means educating employees, contractors, and stakeholders about the importance of cybersecurity while encouraging good practices for hygiene and awareness. It’s also vital that political and executive leaders at state, local, and education levels take ownership and lead efforts on this front.
Successful WoS cybersecurity requires the use of advanced technologies such as threat intelligence platforms, SIEM systems, and EDR tools to enhance protection and response capabilities.
Part of the beauty in a Whole-of-State program is the combination of purchasing power and economies of scale. Even the smallest organizations can realize the benefits of the best products, supported with centralized expertise, because of this collaboration.
For more information on how to evangelize WoS Cybersecurity and the State and Local Cybersecurity Grant Program (SLCGP), download the 2023-2024 SLED CPR.
Retain and develop cybersecurity talent
Attracting and keeping cybersecurity talent is tough for SLED organizations. It's not just about IT protection; it's about securing citizens' data, keeping government services accessible and running smoothly, and maintaining public trust in the government to provide essential services when needed.
The landscape of cyber talent in state and municipal governments
Recent trends in staffing paint a picture of organizations struggling to close gaps in cybersecurity roles. A report from govtech.com notes, “CISOs are grappling with talent gaps and weak relationships with local agencies. The latter has emerged particularly as an obstacle to whole-of-state cybersecurity and new federal grants requiring collaboration with local partners.”
In a 2022 NASCIO report, 62% of CISOs believe their teams lack the necessary knowledge, skills, and behavior to meet current and future cybersecurity needs. Additionally, 50% of CISOs mentioned a shortage of available cybersecurity professionals.
Download the 2023-2024 SLED CPR to learn more about the challenges in attracting and retaining cybersecurity talent within SLED, as well as the effects of staff turnover on cybersecurity operations.
Create a robust talent retention strategy
Recruiting and supporting candidates from diverse backgrounds can boost the chances of building strong, skilled teams in today's competitive market. Successful SLED organizations share four key practices:
- Foster a positive and inclusive cybersecurity culture.
- Acknowledge and celebrate cybersecurity achievements.
- Offer chances for career development and progression.
- Introduce flexible working options and initiatives that promote a healthy work-life balance.
Read more about these practices by downloading the full report.
Lessons from the field
As the Chief Information Security Officer for North Dakota, Michael Gregg recognized the critical need for effective talent development and retention. He collaborated with leadership to integrate cybersecurity education into the curriculum, from kindergarten through high school. This initiative helps establish a strong foundational understanding of cybersecurity while cultivating the next generation of professionals.
Gregg highlights the importance of engaging young people through innovative programs such as Cyber Madness. These initiatives spark interest in cybersecurity early, inspiring the next generation to explore careers in the field.
These initiatives offer not just learning opportunities but also scholarships, sparking interest in cybersecurity careers among students.
Gregg also emphasizes the importance of creating a well-rounded learning environment, where individuals can gain experience with a diverse set of security tools and responsibilities. This offers a unique opportunity in the public sector, one that is often not as readily available in the private sector.
A crucial part of North Dakota's strategy is the emphasis on developing soft skills alongside technical knowledge. By training cybersecurity professionals in communication and presentation skills, organizations ensure they can effectively convey complex ideas and findings—an essential ability in the cybersecurity field.
North Dakota's programs also focused on promoting diversity and inclusion, specifically increasing participation from underrepresented groups. This emphasis highlights the critical need for a diverse and inclusive cybersecurity workforce.
Michael Gregg’s initiatives in North Dakota provide a comprehensive and innovative solution to the challenges of recruiting and retaining cybersecurity talent in SLED organizations, integrating education, skill development, diversity, and technological growth.
Cyber insurance for SLED
As cyberattacks become more frequent and sophisticated, state and local government agencies, as well as educational institutions, are seeking effective ways to minimize financial and operational damage, particularly when attackers succeed. Cyber insurance has emerged as a popular solution.According to a report from the United States Government Accountability Office (GAO), the total direct written premiums for cyber insurance grew by approximately 50%, from $2.1 billion to $3.1 billion, between 2016 and 2019.
As cyberattacks continue to increase in frequency and severity, policy premiums for cyber insurance are rising, while coverage is becoming more restrictive or, in some cases, unavailable. As a result, SLED leaders are reassessing whether cyber insurance is the right strategy for transferring or limiting cyber risks. Similar to other types of insurance (such as automobile, home, or life insurance), cyber insurance offers a way to transfer risk. However, there are important factors to consider before opting for cyber insurance. Beyond a basic risk/benefit analysis, government agencies and public sector organizations also face potential legislative or bureaucratic challenges.
Does cyber insurance make sense for SLED? Download the full report to learn more.
Benefits and pitfalls of cyber insurance
Cyber insurance can be a valuable tool in certain situations, but it’s important to understand both the advantages and challenges before making a decision. Here are some key benefits and potential issues public sector organizations should consider.
Benefits of cyber insurance
- Financial risk mitigation
- Incentive for enhanced cybersecurity
- Expertise and post-breach services
- Training and awareness resources
Potential pitfalls of cyber insurance
- Limited and varied coverage
- Potential for complacency
- Rising costs and affordability
- Complex claims and disputes
- Overreliance on insurance in decision-making
Discover more about the benefits, challenges, and hybrid approaches to cyber insurance by downloading the full report.
Assessing the cyber threat landscape
Cybercriminals frequently target a wide range of organizations, and public sector entities are no exception. While some threats are random, many cybercriminals intentionally focus on state and local governments, educational institutions, and municipal utilities, making them prime targets.
Organizations must have reliable sources for up-to-date threat intelligence and effective processes to keep IT security teams informed about emerging and active threats. However, limited resources and regulatory challenges can complicate this effort.
For the complete chapter, download the 2023-2024 CPR.
Leveraging partnerships and collaborations
An increasing number of SLED institutions
are forming partnerships and collaborations
to strengthen their cybersecurity
capabilities. By exchanging threat
intelligence, best practices, and resources,
public institutions can build a more
resilient defense against cyber threats.
These partnerships often offer access to
expertise and technologies that individual
institutions may not have the resources to
afford. Collaborations can range from formal
agreements with government agencies and
industry partners to informal networks of
cybersecurity professionals. These efforts
can also include participation in national
and international cybersecurity initiatives,
providing additional resources and
insights.
What's Working?
Finding, applying, and maintaining
effective threat intelligence is a complex
challenge. When threat intelligence is
valuable, its usefulness often fades quickly
as adversaries adjust their tactics to avoid
detection. To avoid false positives, it’s
crucial to remove outdated sources from the
inventory. Despite these challenges, a few
techniques are gaining popularity in
managing and using threat intelligence
effectively.
1. The constellation SOC
The Constellation SOC (Security Operations Center) is named after the network map that connects different SOCs to share threat intelligence. Each SOC may have its own technology, staff, and mission, but there’s value in exchanging information for the greater good. This could involve sharing intelligence between entities like a community college system and state government, or a water utility and a research lab. The idea is simple: regional or industry-specific organizations often encounter events that others should be aware of, and sharing emerging intelligence benefits everyone involved. Some of the most successful sharing initiatives have set up memorandums of understanding (MOUs) to formalize these collaborations, using technologies like Sigma to connect disparate systems for sharing attack indicators or signs of compromise.
2. Sharing meta data or better yet, sharing the search
One concern that often arises is oversharing. It's essential to establish clear parameters for information sharing to prevent disclosing sensitive data. Historically, we’ve relied on Stix or Taxii feeds for this purpose. However, for organizations and agencies with similar security analytics stacks, sharing search formats can provide more detail than a standard threat feed. By dissecting the search format, analysts can gain more valuable insights. They can see the required log source, expected data source, and potentially the characteristics of the attack indicator. This enables analysts to tailor the search format to their local security setups, ensuring timely and relevant identification of emerging threats.
3. Leaning on MSSP's and MDR providers
When an MSSP (Managed Security Service Provider) or MDR (Managed Detection and Response) company specializes in a particular vertical and manages multiple clients, it can lead to a scenario where emerging threat intelligence from one organization benefits all other clients. However, this is contingent on the provider's ability to aggregate threat data. It’s crucial for each consumer to ask the right questions and perform a thorough evaluation before purchasing. The advantage of this approach is that it shifts the focus from a general threat brief to a more technical and tactical identification of attacks, which provides the most actionable form of cyber intelligence.
Looking forward to 2024
The SLED CPR is the result of numerous discussions with GuardsArm's SLED clients, IT leaders, and cybersecurity experts throughout 2023. It was created to capture the insights and concerns of SLED decision-makers and, for the first time, provide comprehensive cybersecurity information tailored specifically to the SLED sector.
With the completion of the second annual SLED CPR, we're also excited to share our expectations for the future. We’ll revisit these predictions in next year's 2024-2025 CPR to evaluate how accurate they were. Download the 2023-2024 CPR to see how we reconciled last year's predictions from the 2022 report.
Prediction 1: Target on their backs
In the SLED space, organizations will experience a rise in cyberattacks from nation-state actors and hacktivists, who will target critical infrastructure, sensitive data, and public services. These attacks will aim to disrupt operations, extort ransom, or push political and social agendas. To combat these threats, SLED organizations will need to invest in advanced threat intelligence, incident response, and cyber resilience capabilities.
Prediction 2: AI-driven threat hunting becomes standard
As cyber threats become more sophisticated, SLED agencies, often operating with limited resources, will increasingly rely on AI-driven threat hunting tools. These tools can autonomously analyze vast amounts of data to identify potential threats before they develop into actual breaches. By 2024, such proactive measures will be a standard part of the cybersecurity toolkit in the SLED market, no longer just a nice-to-have feature.
Prediction 3: Education sector targeted by Ransomware-as-a-Service (RaaS)
Schools and universities, rich in personal data and intellectual property, are often underprotected. We expect a sharp rise in targeted ransomware attacks, particularly through RaaS (Ransomware-as-a-Service) models, which allow less-skilled hackers to lease ransomware from more experienced ones. This trend could lead to more disruptions in educational institutions, pushing them to adopt a more aggressive cybersecurity approach.
Prediction 4: Trust nothing, verify everything
SLED organizations will adopt zero trust as their security framework, moving from perimeter-based to identity-based security models. This approach will require verifying the identity and context of every user, device, and request before granting access to resources. By doing so, they will reduce attack surfaces, prevent unauthorized access, and mitigate insider threats. Zero trust will also incorporate multi-factor authentication, encryption, micro-segmentation, and continuous monitoring.
Prediction 5: Cybersecurity talent grows in-house
Due to the ongoing talent shortage and fierce competition for cybersecurity professionals, state and local governments, along with educational institutions, will begin developing their own cybersecurity workforce. This will lead to more in-house training programs, apprenticeships, and collaborations with local universities and coding bootcamps to build their cybersecurity capabilities from the ground up.
Prediction 6: Cybersecurity mergers and acquisitions surge
As cyber threats become more sophisticated, smaller SLED agencies may struggle to keep up. This could result in a trend where these agencies form partnerships or even merge with larger, more technologically advanced entities. Such collaborations would allow smaller agencies to leverage the cybersecurity infrastructure of their larger counterparts, enhancing their defenses against evolving threats.
Prediction 7: All for one, one for all
SLED organizations will enhance collaboration and information sharing on cybersecurity, both within and across sectors. Whole-of-State cybersecurity initiatives will grow, and organizations will create networks and alliances to share best practices, threat intelligence, and incident response support. Joint initiatives and exercises will improve preparedness and coordination, building trust, fostering innovation, and strengthening collective defense against cyber threats.
Contributing sponsors
A special thanks to all our sponsors. Their involvement stems from frequent mentions by SLED leaders, who are guiding us in understanding their challenges. Rather than product recommendations or use cases, these sponsors provided access to their experts, helping us enrich the CPR with valuable data and insights that we might have otherwise missed.
Guardsarm Inc. (NASDAQ: SPLK) transforms data into action through its Data-to-Everything Platform. The technology is built to investigate, monitor, analyze, and act on data, regardless of scale.
Learn more at splunk.com/publicsector.
3b7e.png)
Zscaler (NASDAQ: ZS) accelerates digital transformation, enabling customers to be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange safeguards thousands of customers from cyber threats and data loss by securely connecting users, devices, and applications, no matter their location. With over 150 data centers worldwide, the SSE-based Zero Trust Exchange is the largest in-line cloud security platform globally.
Learn more at zscaler.com.
Recorded Future is the world's largest intelligence company. Its Intelligence Cloud offers comprehensive coverage of adversaries, infrastructure, and targets. By combining automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape. This enables countries and organizations to proactively disrupt adversaries and protect their people, systems, and infrastructure. Headquartered in Boston, with offices worldwide, Recorded Future collaborates with over 1,500 businesses and government organizations in more than 60 countries.
Learn more at recordedfuture.com.
GuardsArm is a leading national cybersecurity services firm, offering clear, comprehensive, and outcome-focused solutions to hundreds of clients. We work exclusively with top-tier security technologies and highly trained, vetted analysts. Our goal is to simplify cybersecurity for our clients by providing a full range of security services, from compliance and offensive testing to award-winning 24/7 managed security operations. Additionally, GuardsArm Inc advisors leverage information from multiple sources to create well-informed strategies for building, improving, and maintaining your cybersecurity program.
GuardsArm Inc makes it easy to secure what matters most to you. Learn more at guardsarm.com.
