How state and local CIOs can push their cyber resilience plans forward in 2024

From Dallas, Texas to Lowell, Mass., it’s been evident that in 2023, state and local governments have been prime targets for ransomware attacks and other bad actors. Now, as we look to the year ahead, the reality is this: cyber threats are worsening, the attack landscape is growing more complex and severe by the day, and adversaries are increasingly recognizing the vulnerability and susceptibility of state and local governments.

As we head into the new year and state and local organizations remain top targets for malicious actors, here are some of the ways that state and local chief information officers (CIOs) can make the most of strained resources and limited funding to drive resilience efforts forward.

Shifting the focus
When it comes to bolstering resilience, it’s been a long-held misconception that prevention is the metric for “perfection” in cyber. But in our hybrid, hyperconnected world, “prevention” is no longer an accurate reflection of resilience (and in the world of cybersecurity, there’s no such thing as perfection). The field that we’re playing on is constantly widening, expanding and evolving, and the rules change as new threats emerge.

As the threat landscape has grown more severe and unrelenting over the years, it’s time we start recognizing and redefining resilience: it’s no longer a matter of preventing breaches and other attacks from occurring—it’s about ensuring critical information remains safeguarded and operations continuous in the face of inevitable attacks and breaches.

The best way to achieve this kind of operational consistency and resilience, particularly as threats evolve, is by adopting the Zero Trust framework. A widely recognized industry best practice predicated on the principles of “assume breach” and “least privilege,” Zero Trust advocates for a default deny approach to cybersecurity. In fact, it’s become the de facto standard for agencies and other federal organizations as they look to make good on the objectives outlined in the Biden Administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity, and well as other evolving cybersecurity mandates and regulations.

However, oftentimes where agencies and public sector CIOs fall short in their Zero Trust journeys is by focusing too much on perfection over progress. Often, IT leaders will aim to perfect each goal or step as outlined by a piece of guidance or a given model—for example, with CISA’s Zero Trust Maturity Model, released in 2022, organizations often seek to master a single phase or pillar (i.e., “identity”) before moving onto the next. But in doing this, they’re leaving critical security gaps unplugged in their devices, networks, applications and data that are readily available for bad actors to exploit.

To read the complete article, visit American City & County.