Preparing state CIOs for the future of cyber and AI defense

Kmatta via Getty Images

Featured eBooks
NASCIO 2025 Special Report
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
Reinventing healthcare for public sector retirees
Presented By ViaBenefits
Download Now
From Silos to Synergy: Redefining State Cybersecurity with a Risk Operations Center
Presented By Qualys
Download Now
Gary Barlet By Gary Barlet,
CTO, Illumio

By Gary Barlet

|

COMMENTARY | States must act fast and be strategic, and their actions now can lay the groundwork for long-term success even as they await additional guidance and funding.

The White House’s Achieving Efficiency Through State and Local Preparedness executive order marks a major shift in responsibility by expanding states’ cybersecurity obligations. Building on this momentum, the newly released Artificial Intelligence Action Plan requires states to reevaluate their AI regulations if they want to remain eligible for federal funding. 

Together, these mandates create an opportunity for state governments to expand their impact and leadership. With the right guidance, enhanced authorities and financial support, states are well-positioned to succeed and deliver meaningful results.

States play a pivotal role in safeguarding the critical infrastructure that keeps our nation running — power grids, water systems, emergency services and more. As these systems become increasingly attractive targets for adversaries, state chief information officers, chief information security officers and governors are taking on greater responsibilities. 

To meet this challenge, they must act quickly and strategically, and leverage the knowledge they already have at their disposal. Early actions, including strengthening cyber defenses, prioritizing risk assessments, and coordinating with federal partners, lay the groundwork for long-term success, even as additional guidance, authorities and funding are secured.

Adversaries aren’t waiting for states to implement comprehensive cybersecurity and incident response plans. Gaps in protocols for threat detection, breach response, and cross-agency coordination leave critical infrastructure vulnerable. The question is no longer if a breach will occur, but when?

The true measure of resilience will be how quickly and effectively states respond: containing the attack, sustaining operations, and recovering quickly. To thrive in this new reality, state leaders must define their cybersecurity responsibilities, prioritize critical assets, adopt whole-of-state approaches, and establish necessary AI protections.

Defining Responsibilities and Protecting the Essentials

To effectively address these challenges, states must begin by drawing clear lines of responsibility. That means pressing the federal government for explicit guidance on roles, authorities, and available funding, while internally conducting gap analyses to determine where federal coverage is ending and where new state obligations begin. Once responsibilities are understood, leaders must immediately prioritize and develop a plan of action.

Most states have limited budgets and staff for cyber functions; not every system can be defended equally. Trying to spread resources too thin will only increase exposure. Instead, states should focus first on the most critical systems while adopting an “assume breach” mindset.

An “assume breach” mindset accepts that breaches are inevitable and shifts the focus from trying to prevent every breach to minimizing the impact through security measures, protocols, and tools designed as if an attacker is already inside the network. 

From there, states can begin identifying their pain points and mapping operations, including what systems would create the greatest disruption if taken offline, where current defenses are weakest, and what resources exist to close those gaps. Recent research found that when a ransomware attack hits, 47% of organizations paid the ransom, simply because they couldn’t afford downtime.

Adopting an “assume breach” mindset and building internal defenses doesn’t require an immediate, large-scale overhaul. The key is to look at responsibilities and determine which tasks can realistically be tackled first. Next, conduct a targeted review to identify vulnerabilities. Then, prioritize these vulnerabilities based on the most urgent needs and current capabilities. 

Other incremental steps include tightening controls around crown-jewel systems, building better detection for unusual activity, and practicing faster response protocols. Each step increases resilience. The goal isn’t perfection, but ensuring that when attacks happen, critical services remain operational, and citizens don’t feel the impact.

Breaking Down Silos to Build Whole-of-State Strength

Even the most well-funded states cannot meet these responsibilities in isolation. Simply pushing responsibilities down without coordination only multiplies the risks. That is why a whole-of-state approach is essential. 

Rather than leaving states and municipalities to operate independently, collaboration ensures comprehensive coverage. By sharing resources, standardizing services, and coordinating responses, local governments gain access to tools and expertise they could not otherwise afford. This collective effort strengthens trust and resilience across the state.

Cyber events rarely stop at state borders, and one state’s compromise can ripple across a region. A successful attack on Texas’s energy infrastructure, for example, could cascade far beyond its borders, impacting fuel and heating across neighboring states. Pooling resources, sharing intelligence, understanding priorities, and aligning strategies can turn limited budgets into a force multiplier.

The State and Local Cybersecurity Grant Program has also been instrumental in helping states build cybersecurity plans and deliver shared services. As the program's future remains uncertain, leaders cannot wait to act. They must have a plan in place that sustains these collaboration efforts.

Bring AI Into the Security Fold

The AI Action Plan also prioritizes AI security for state leaders. To remain eligible for funding, leaders must inventory where AI is already embedded across government services and establish safeguards for transparency, accountability, and security. AI systems should be treated no differently than other critical assets. They must be integrated into the broader cybersecurity posture and subject to the same risk assessments and protections.

This is not only about reducing risk but also about ensuring that states don’t lose out on crucial federal resources. Acting now on AI governance gives states a chance to get ahead of potential vulnerabilities rather than reacting after adversaries or compliance failures expose them.

Proactive Leadership is Needed

While states wait for additional support and guidance, they must act. By creating a plan and making smart, upfront decisions about cybersecurity and AI protections, states can avoid breaches that spiral into disasters, prevent costly operational downtime, and strengthen long-term resilience. 

Every dollar spent on proactive measures today translates into efficiency gains tomorrow, reduced recovery costs, and minimized disruption. Investing early isn’t just about security; it’s about ensuring government operations run smoothly and resources are used wisely.

Gary Barlet is the public sector chief technology officer at Illumio, where he works with government agencies, contractors and the broader ecosystem to incorporate zero trust segmentation, or microsegmentation, as a strategic enabler of zero trust architecture.

NEXT STORY: Federal funding runs out for cyber info-sharing center

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.