Cybersecurity has become in many countries  a booming industry, flooding the market with new products, with a near zero unemployment rate, and numerous unfilled jobs. This shortfall is expected to grow by 50+ percent in the near future.  However, in the meantime, local governments are finding it increasingly difficult to attract and keep cybersecurity expertise.  National governments are continuing to issue standards and frameworks to manage cybersecurity but little attention is being addressed to what to do about situation at a local level.

The inability to pay competitive salaries, lack of experienced staff, and a general lack of funds have all created serious barriers to local governments to reaching adequate levels of security. These issues were cited in a  survey of local government CIOs conducted by ICMA, the International City/County Management Association, in partnership with the University of Maryland Baltimore County.

The objective of the Cybersecurity 2016 Survey  was to understand better current local government cybersecurity practices, as well as to see what related issues there were. The survey looked at what capacities cities and counties typically possess, what kind of barriers they encounter, and what type of support they need to implement effective  programs. Unfortunately little attention seems to be paid to solutions.

Despite nearly a third (32 percent) of respondents reporting an increase in cyber-attacks during the past 12 months, 58 percent indicated that the inability to pay competitive salaries constituted a prohibitive factor that prevented them from reaching higher levels of security. Fifty-three percent cited an insufficient number of cybersecurity staff as the primary obstacle, and 52 percent said it was a general lack of funds.

The public sector generally pays considerably less than the private sector for expertise in this field. This tendency places further pressure on local governments (both in Europe and the US) to find ways to fund better compensation. More work probably should be done on what local governments and businesses can do without having necessarily having a strong technical background.

When asked to rank the top three things most needed to ensure the highest level of security for their local government, respondents cited increased  funding as number one, better cybersecurity policies as number two, and greater cybersecurity awareness among local government employees as number three in importance.

“As local governments become increasingly reliant on technology and the Internet, they must also become increasingly diligent about the security they provide for the data and information they collect and manage,” ICMA Executive Director Marc Ott was quoted. “Because the costs to restore compromised data are staggering, local governments must understand what resources they need to achieve their cybersecurity objectives and ensure the safety of their data. Priorities and ojbectives should not be made within the context of IT departments but developed in collaboration with all departments.

Other highlights of the ICMA/UMBC cybersecurity survey results include:

  • Only 1 percent of responding local governments have a stand-alone cybersecurity department or unit. Primary responsibility for security is most often located within the IT department.  Not much is made of relying on IT departments for cybersecurity . As in many situations, we have found in working with municipalities in Italy that operations function better when IT is  advising officials on how policy decisions should be developed.
  • Roughly 62 percent of responding jurisdictions have developed a formal policy governing the use of personally-owned devices by governmental officials and employees. Even in municipalities with formal policies much depends on how they are applied and how people are trained.
  • Nearly 70 percent of responding local governments have not developed a formal, written cybersecurity risk management plan, but nearly 41 percent conduct an annual risk assessment and an additional 16 percent take stock of their risk at least every two years. Part of the problem regarding the lack of formal, written risk management plans is the lack of resources.  Most municipalities, particularly the smaller ones, are beset with numerous problems concerning the delivery of public services so the issue of risk management tends to be less of a priority.

One can review the complete results of the survey at:

The original article come from:

Our experience in Italy and other European countries is that cybersecurity expertise is certainly important but we also need to recognize that less-costly and easy to implement solutions should be developed.  Like with other services (police, taxes, jobs, etc.) more municipalities could be encouraged to group together and to pool their resources to be able to develop more rapidly solutions for their communities.

Cesviter Team