IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Sponsor Content
What does this mean?

3 Steps to Help State and Local Governments Build Cyber Resilience


Now is a more important time than ever for state and local governments to double down on cyber resilience to make sure they have the systems in place to both protect organizational data AND react in the event of a cyber attack.

Now is a more important time than ever for state and local governments to double down on cyber resilience to make sure they have the systems in place to both protect organizational data AND react in the event of a cyber attack. What makes cyber resilience different as an overall approach? Not only is it more outcomes based but because it focuses on business continuity and financial priorities, the benefits are much broader than acute disaster recovery or preventative cyber strategies.

To summarize, cyber resilience encompasses protecting the data, protecting the application and protecting the outcome. Additionally, implementing a resilience strategy optimizes your cybersecurity fiscal spending, as the most critical items are prioritized first.

For governments, this translates to the ability to ensure constituent services go uninterrupted and keep services online with little to no impact on staff or citizens – regardless of the threats or disruptions that take place, especially cyber attacks.


As the threat landscape grows increasingly sophisticated with an increase in targets and frequency of attacks, state and local governments are more at risk than most organizations for two key reasons.

The first is the very nature of budget cycles. Because it can take as long as one to two years for governments to ask for and appropriate the right funding to mitigate cyber attacks, they are, by design, forced to remain reactionary. The sobering reality is that cyber threats and the surrounding technologies to address them are proliferating far faster than what current budget cycles can fund. This means that relying on prevention as the main cybersecurity strategy opens state and local governments to enhanced risk.

The second major reason is the inability to adequately address one of the most pernicious forms of cyber attacks: ransomware. The statistics alone are staggering. According to Cybersecurity Ventures, recent reports show that organizations are hit with ransomware attacks every 11 seconds. At least 69 percent of ransomware attacks are effective at encrypting data, 15 percent higher than average. Most agencies have barely adequate defenses in place and are at high risk of having their operations and services grind to a halt as a result of ransomware attacks.


With a cyber resilience plan in place, your dollars go much further in building overall resilience and sustainability. Incident response is more optimized, and your agency or government is better prepared to block or even withstand cyber attacks as well as stand up alternative compute, eradicate the threat and ensure services are still ongoing. Put simply, cyber resilience can be likened to the ability to take a punch in the mouth and keep going.

Here’s how the Virginia Information Technologies Agency (VITA) helped the executive branch of the commonwealth of Virginia withstand a ransomware attack using cyber resilience as an approach. While other branches and their operations were stifled when hit with the same ransomware attack, the executive branch was able to keep services and operations going – without having to pay a ransom.

How? By employing three critical steps to build their cyber resilience ahead of time.


These steps not only helped VITA but can also improve how other state and local governments prepare before the next cyber attack. The three key steps to building cyber resilience include leveraging a holistic resilience assessment, assembling a cross-functional team and creating a time-phased road map.

1. Leverage a holistic resilience assessment. First, VITA brought in objective technology and business process experts to identify single points of failure and proactively mitigate them ahead of time. These included cybersecurity weak points, people (such as knowledge management gaps) and outdated processes. Cyber and non-cyber single points of failure must be identified to create a comprehensive organizational risk baseline.

For example, with a monolithic database with a singular backup, a hacker can easily encrypt the data and backup and bring operations to a full stop. Identifying these gaps through a holistic resilience assessment ahead of time can help you prioritize accordingly across constituent services, people and processes. Ultimately, you can then strategically stretch your dollars and address highest impact to lowest impact for more resilience.

2. Assemble a cross-functional team. Cybersecurity is becoming a significant foundational layer toward business and operational resilience. As a result, the new type of CISO will become more well-rounded. They’re being brought into the fold in ensuring business continuity and other important outcomes that cybersecurity can affect.

When assembling your cross-functional team, include the CISO, CIO, and any financial and business stakeholders and prioritize the impact of any gaps or potential points of failure.

3. Create a time-phased road map. VITA focused on outcomes, such as critical constituent services, first. Similarly, more states like North Dakota and Ohio are applying a “whole-of-state approach,” identifying their primary outcomes first. Think of your government's primary outcomes. What critical services must remain ongoing? Whether it’s online services, critical infrastructure, public safety, etc., the key is to identify those critical business outcomes and work backward to identify single points of failure.

From there, establish a time-phased road map that aligns with your budgetary constraints. Which of those high-impact points of failure will you address first? This will help build a more resilient strategy and strengthen your environment over time.

Before adding another tool to your cyber technology stack or automating a process that may already be bad, take a step back and examine your outcomes first. What will prevent you from delivering your government agency’s most important outcomes, like constituent services? By starting there, you’ll build a more sustainable and cyber resilient strategy, ensuring your government is better prepared to face the cyber threats of today and well into the future.