State and local governments need a unified approach to cybersecurity

Just_Super via Getty Images
COMMENTARY | A consolidated cyber operations framework for states isn’t just a strategy — it’s a lifeline in an era of relentless cyber threats.
The White House’s recent shift in cyber risk management represents a pivotal moment for state and local agencies.
With the release of the National Resilience Strategy, state and local agencies now bear the responsibility of making critical infrastructure decisions to address growing domestic and foreign cyber threats. Moreover, the implementation of major federal budget reductions has forced states to fight for the protection of critical election systems and public service infrastructure.
States also face pre-existing cyber risk management challenges, such as navigating budget constraints, workforce shortages, work silos and tool fragmentation across different agencies. In fact, nearly 40% of chief information security officers report insufficient funding for adequate cybersecurity measures.
The desired results extend beyond tool implementation and threat response as agencies must develop a new approach to consolidate tools and manage cyber risks effectively.
Relying on siloed tools is not effective against advanced ransomware attacks or cyberattacks powered by generative artificial intelligence.
Incidents like the American Water breach underscore the urgent need for consolidated risk management frameworks to protect vital state and local infrastructure. This is where the Risk Operations Center framework comes in.
The ROC framework provides state and local governments with a unified approach to establishing strategic threat prioritization and building infrastructure resilience. For instance, a ROC shifts the focus to proactive risk management — identifying systemic vulnerabilities before they become crises — and facilitates collaboration across agencies to collectively defend against emerging threats.
However, the ROC is not simply an evolution of the traditional Security Operations Center; it is a paradigm shift. While SOCs focus on detecting and responding to immediate threats, ROCs focus on risks based on their potential impact on mission-critical outcomes. This broader perspective aligns security efforts with agency priorities, allowing state and local governments to address vulnerabilities proactively rather than reactively.
The main differentiator that sets a ROC apart lies in its threat response approach. The ROC handles cybersecurity risk in addition to real-time threat detection. It collects security data as risk telemetry to display complete threat and vulnerability insights across state and local agencies without requiring system replacements. Risk management also functions as an integral part of operational priorities through ROCs, which direct efforts toward an agency’s mission objectives.
ROCs work alongside SOCs to support proactive risk management through their complementary functionality. This framework allows CISOs to detect security vulnerabilities early and to rank threats according to their level of impact on public services and citizen trust. In this case, the goal is to transition from the current reactive approach of managing risk to a proactive consolidation model that reduces tool sprawl.
Lastly, the persistent shortage of skilled cybersecurity professionals remains a significant hurdle for state governments. By centralizing expertise within a ROC, states can maximize the impact of skilled personnel while leveraging automation to handle routine tasks. This frees up teams to focus on high-priority incidents that require human intervention.
When combined with a ROC, a whole-of-state approach to state and local cybersecurity protects national security, aligns human resources, improves efficiencies and reduces human error.
The National Association of State Chief Information Officers champions a whole-of-state approach to cybersecurity, emphasizing collaboration across state and local entities to address increasing cyberattacks against healthcare, education and critical infrastructure. A ROC embodies this strategy by bolstering the cybersecurity postures of state and local government in many ways:
- Establishing a ROC facilitates collaboration between state and local governments without requiring tool standardization.
- Centralized oversight ensures consistent implementation of frameworks like NIST CSF 2.0 and CISA guidelines.
- Smaller municipalities often lack the budget or expertise for robust cybersecurity. A ROC enables them to leverage enterprise-level capabilities without duplicating efforts.
- Real-time intelligence sharing ensures rapid detection and response across all levels of government.
The stakes have never been higher for state and local governments as cyber threats grow more sophisticated and relentless.
A consolidated ROC framework offers more than just a solution; it provides a lifeline to protect national security, critical infrastructure, public services and citizen trust. State CISOs can identify vulnerabilities before they escalate into crises by moving from reactive to proactive risk management, ensuring resilience in the face of evolving threats like ransomware and generative AI-powered attacks.
The time to act is now. With the support of frameworks like the ROC and a whole-of-state approach, state CISOs can break down silos, centralize expertise and build a unified defense against adversaries targeting our nation’s most vital systems.
State and local cyber risk management is no longer just an IT issue — it has become a mission-critical national priority that demands bold leadership, strategic collaboration and unified cyber risk management tactics. The future of protecting our citizens from cybercriminals depends on it.
Jonathan Trull is chief information security officer and senior vice president for security solution architecture at Qualys.