Amid a tumultuous threat landscape, state and local government (SLG) IT leaders are warning that their organizations’ cybersecurity preparedness is putting citizen data at risk, according to new research from MeriTalk, underwritten by Invicti, Keeper, Recorded Future and ServiceNow.

In a clarion call and warning to all SLG chief information and chief information security officers, more than two thirds of those surveyed admitted that the state of their organizations’ cybersecurity puts citizens at risk for a detrimental cyberattack. Alongside that finding, only 36 percent grade their organization’s data security practices with an “A” in building citizen trust.

The news from the research is not all bad, but it shows how far government organizations have to go to get security confidence to a really high level.

On the better news front: 91 percent of SLG cybersecurity leaders said their organization’s pace of cybersecurity improvements has actually increased over the past year, and cybersecurity remains the top priority on the National Association of State Chief Information Officers’ (NASCIO) state CIO survey list for the ninth year in a row.

Finally, a dash of mixed news: 75 percent feel their organizations understand the overall cybersecurity objective, but the same 75 percent of SLG IT leader respondents still did not understand the steps needed to achieve the goal.

MeriTalk compiled its research results through an online survey of 100 SLG IT and program managers, all of them familiar with their organization’s cybersecurity efforts, in August of 2022.  The report has a margin of error of ±9.75 percent at a 95 percent confidence level.


The past two years have sparked a massive upheaval in digital government – from pandemics and ransomware attacks to global affairs that threaten our level of ubiquitous cyber-connectivity. While cybersecurity and risk management remain state CIOs’ number-one priority according to NASCIO, effective cyber strategies are more critical than ever to ensure data protection, service delivery, and citizen trust.

In the new research report, MeriTalk aims to understand how SLG leaders are using cybersecurity advancements to meet the needs of a digitally dependent population and how industry partners can best support SLG progress.

MeriTalk surveyed the SLG IT decision-makers to understand:

  • Cyber “must haves” for reliable citizen services;
  • Efforts to improve data protection and application security;
  • Short and long-term strategies to advance cyber resilience; and
  • Opportunities to strengthen cross-industry collaboration;

Here are some of the major findings:

Cyber Strategy

While over 70 percent of SLG leaders report updating their cyber strategy in the past year, the majority still face gaps which are concerning. About half – 56 percent – are able to contain and minimize damage from an attack, and only half can quickly restore all lost data following an attack. Finally, only a third are confident that they can thwart any attack on their organization.

Prioritizing Target Defenses

When it comes to which components of their digital estate SLG IT leaders are most concerned with securing, half specified their networks, and citizen data. Interestingly, over twice as many state IT leaders say they face a visibility gap as to who is on their network compared to their local government counterparts.

Another third were worried about their infrastructure and program operations, while a quarter said identity data and devices were likely vulnerable.

Top Concerns

Asked about their top security-related concerns, 58 percent of the professionals surveyed  by MeriTalk responded by saying cyberattacks in general. A 40 percent share said they worry about legacy systems being a vulnerable target, while 30 percent listed attacks launched via  compromised vendors as a major concern. Rounding out top concerns were web-based attacks, at 36 percent, and loss of citizen data, also at 36 percent.

Must Haves

Respondents were asked which cybersecurity measures were seen as “must-haves” for SLG organizations. Data backup and restore, multi-factor authentication, and enterprise-wide cybersecurity training were each cited by just over half. A bit less than half reported “must-haves” for endpoint detection and response (EDR), continuous monitoring and diagnostics, and always-on encryption. Despite the current Federal-level policy push, only 28 percent said zero trust security was a “must have.”

On the last point with zero trust, the “must haves” should move higher over time as White House EO 14028 and the recently released Federal strategy memo emphasize the immediate need to shift to more secure cloud services and implement zero trust architectures to safeguard agency and citizen data.

With a 2024 deadline set for Federal agencies to meet one of the first big sets of zero trust security goals, state and local agencies should plan to implement similar cybersecurity standards to interface with Federal networks.

Data Protection Roadblocks

The top roadblock cited by about a third of IT leader respondents was a lack of skilled personnel. Other roadblocks were outdated technology, a lack of visibility into shadow IT, too many competing cyber priorities, and the lack of automation. Gaining almost universal agreement of sentiment, 94 percent said improved digital literacy is vital for effective overall cyber defense.

Application Security

A large majority – 88 percent – said application security is vital to reducing the overall attack surface within their organizations. Some of the solutions cited include Dynamic Integration Application, security testing (DAST), and purchase agreements with trusted cyber security providers.

Future Focus

When asked which tools or practices organizations are planning to adopt in the near future, 40 percent of SLG IT leaders identified modern identity management systems, automated cyber risk monitoring, threat hunting, and automated risk management for third-party vendors. Only a third cited application security testing; security, orchestration, automation, and response (SOAR) solutions; digital-as-built (DAB) approach; and zero trust. It was interesting to note that SOAR solutions are significantly more likely to be a short-term priority for state vs. local government (45 percent to 13 percent).

Critical Collaboration

SLG leaders said they want to collaborate with Federal agencies and private sector organizations on threat hunting, data/software standards, and automation to maximize cybersecurity and data protection.

Modern data protection depends on effective communication across sectors, and 91 percent agreed that information sharing before, during, and after ransomware attacks must be mandatory across public and private sectors.

Final Recommendations

SLG leaders must define measurable goals, outline a step-by-step roadmap to achieve them, and work to close implementation gaps on foundational cyber solutions to move their network and data defenses forward.

Those leaders also recommend improved digital literacy across their organizations, which should help shrink the cyber skills gap, improve the case for digital transformation, and reduce the incidence of shadow IT.

And finally, SLG leaders feel application security is vital to reducing the overall attack surface within their organizations. Successful project prioritization will result in more secure software development life cycles, a culture of continuous improvement, and stronger security practices throughout the organization.

We invite you to download the entire report.

Read More About