THANK YOU FOR SUBSCRIBING
After four decades in IT and cybersecurity and over two decades as the CISO for one of the largest counties in the U.S., I’ve witnessed the cyber threat landscape evolve from nuisance malware to highly sophisticated, targeted attacks on critical infrastructure. Yet, we still have the same conversations we had a decade ago.
At the 2025 National Association of Counties (NACo) Legislative Conference, the conversations around cyber challenges were painfully familiar—limited budgets, cultural inertia and threats outpacing the solutions. Leadership accountability is still missing despite rising threat volumes and clear public impact.
Cyber Risk Is a Leadership Issue
Leadership accountability cannot exist without clear ownership. Every local government must assign cybersecurity responsibility to a qualified chief information security officer (CISO). They should possess the technical acumen to manage threats and implement controls and the leadership skills to engage across departments and articulate risk in business terms. For resource-constrained jurisdictions, a V-CISO engagement is a cost-effective alternative to hiring a full-time employee. However, using a V-CISO does not absolve internal leadership of responsibility. A V-CISO must be utilized along with an identified person within your organization accountable for making decisions on risk mitigation, co-presenting the cybersecurity strategy and advocating for the investments required. Outsourcing the expertise is smart; outsourcing the accountability is not.
The cybersecurity lead must have direct and regular access to executive leadership, including county executives, city managers, boards and mayors. Without this, critical risks get delayed, distorted or deprioritized before reaching decision-makers.
This structure allows for timely risk escalation to leadership, informed decision-making grounded in technical and business realities and shared accountability between IT/security leaders and executive leadership.
Faster Risk Escalation: Direct reporting structures reduce the time taken for high-risk issues to reach leadership by 50 percent, enabling quicker mitigation.
Clearer Accountability: Role clarity improves cross-departmental response coordination by 40 percent in cyber incident drills, ensuring faster containment and recovery.
Improved Strategic Alignment: CISOs with executive access report a 60 percent increase in cybersecurity initiatives aligning with agency-wide priorities, like citizen services and operational continuity.
Cybersecurity is an enterprise risk that demands ownership at the executive level. Local government leaders must treat cyber risks as fiscal, operational or public health risks. Leadership accountability transforms cybersecurity from a reactive IT issue into a proactive enterprise risk management function. This includes understanding the risks in business terms, making risk decisions based on data and accepting/mitigating risks formally, with documentation and accountability.
A documented Risk Notification Program ensures that leadership remains informed, engaged and accountable. When leadership takes ownership of cyber risk, measurable improvements follow.
Reduction in Attack Surface: Leadership-driven vulnerability management programs reduce critical vulnerabilities by 30 percent within six months, ensuring high-priority risks are addressed promptly.
Improved Incident Response Times: Engaged leadership reduces Mean Time to Detect (MTTD) from days to hours and Mean Time to Respond (MTTR) from weeks to days by investing in advanced detection tools and incident response training.
Using Common Sense and Being Realistic—A CISO’s Guidebook
CISOs must recognize that sometimes leadership deems a risk acceptable. That’s why a formal Risk Notification Program is essential. If leadership accepts a risk, document it and follow up. Always provide at least three recommendations for mitigating risks, complete with associated costs.
Be realistic with your options, especially regarding costs. If the cost is high, propose a phased approach. Approaching leadership with an unaffordable cost and no plan will result in risk acceptance or outright rejection.
Funding Remains a Significant Issue
Despite well-known vulnerabilities, many local governments remain underfunded and under-resourced. Although ransomware attacks cost jurisdictions millions and erode public trust, cyber is still deemed too expensive.
The State and Local Government Cybersecurity Program (SLGCP) funding is a welcome catalyst, but not a permanent solution. Those funds should mitigate high-priority risks, build foundational capabilities and create early momentum.
Cybersecurity is a core government service. Protecting citizens through digital platforms must become second nature. This requires consistent investment and prioritization in the local budgeting process.
Reduction in Ransomware Impact: Investment in endpoint detection and response (EDR) solutions reduces ransomware downtime by 50 percent and recovery costs by 30 percent within a year.
Enhanced Employee Engagement: Leadership-driven cybersecurity training programs reduce phishing simulation click rates from 20 percent to under 5 percent within six months, fostering a culture of security awareness.
Future federal funding must also increase proportionally to the scale and sophistication of threats and go directly to local governments, allowing swift and strategic actions.
Federal support can kick-start local resilience, but the local government is accountable for building and sustaining cybersecurity maturity.
The Vendor Role in Cost and Risk
Along with local governments, solution providers are also responsible for prioritizing cybersecurity. Vendor pricing models often fail to account for the different realities between large cities and small-town governments.
Vendors must acknowledge this disparity and adapt their pricing models accordingly. Offering flexible tiers, cooperative agreements or scaled-down solutions for smaller municipalities is an innovative, sustainable business model.
Cloud Adoption: Accountability Doesn’t Disappear
There’s a dangerous misconception—it’s in the cloud, so it’s secure. Accountability for data security remains with the local government, even in the cloud. Migrating to cloud services redefines how responsibility must be managed.
Before selecting a cloud provider, governments must require:
• Security attestations and third-party risk assessments.
• Up-to-date SOC 2 Type II certifications and ISO/IEC 27001 compliance.
• A complete Software Bill of Materials (SBOM).
• Detailed data classification alignment and segregation practices.
• Clear accountability for breach notification timelines.
This results in faster recovery times. Leadership investment in cloud-based disaster recovery solutions reduces Recovery Time Objective (RTO) from 48 to 12 hours and Recovery Point Objective (RPO) from 24 to 4 hours within a year.
It’s not just about trust—it’s about due diligence. Government and citizen data must always be protected with the highest standards.
Culture and Performance: The Missing Metrics
Cultural alignment is essential for solving cybersecurity challenges. When leaders exempt themselves from policies, it sends a clear message—cyber is optional. Cybersecurity is everyone’s responsibility, and leadership must set the tone. This includes documenting exceptions to policy, requiring written acknowledgment of risk from those requesting them and reporting exception metrics regularly to senior leadership.
Improved Risk Management Metrics: A documented Risk Notification Program reduces unmitigated risks by 25 percent within a year by ensuring that all risks are mitigated or formally accepted with accountability.
Reduction in Security Incidents: Proactive leadership drives a 20 percent reduction in security incidents annually by addressing root causes and implementing preventive measures.
Leading from the Front
Local governments, where the leadership owns risk decisions, empower CISOs and invests in resilience, have made substantial progress in cyber maturity. Others are still operating on legacy assumptions that cybersecurity is a tech problem or an IT cost to be minimized.
Cybersecurity is more than hardening networks—it’s about fortifying accountability. It’s not about what tools we buy but the decisions we make. It’s not about outsourcing risk—it’s about owning it.
Improved Public Trust: Transparent communication about cybersecurity initiatives improves citizen satisfaction scores by 15 percent within a year.
Alignment with Business Objectives: Leadership accountability ensures that 90 percent of cybersecurity projects align with organizational priorities, like protecting critical infrastructure or enabling digital transformation.
Read Also