How state and local agencies can fully fund cybersecurity

In Virginia, it took a frightening attack of “extremely sophisticated malware”^[1] that temporarily locked up the state legislature’s computer systems in December 2021 to raise the awareness of lawmakers. In response to the attack, the Virginia House inserted a line item in its state budget bill for $150 million to cover cybersecurity over the next two years.

If you thought all states are doing the same thing, you’d be mistaken. Cybersecurity is chronically underfunded in many states, even though state and local governments are frequent targets of ransomware actors. Most state cybersecurity budgets are between 0% and 3% of their overall IT budget. In the private sector, that figure is more than 10%, according to the National Association of State Chief Information Officers (NASCIO).

No state or local government agency wants to suffer a cyberattack, but without sufficient funding, it will be impossible to mount a defense. Here are three tips to secure the funding you need:

1. Establish a cybersecurity budget line item.
   Despite rampant ransomware attacks, nearly half of all US states do not have a budget line item for cybersecurity, according to NASCIO. That’s in contrast to federal government agencies, which track cybersecurity funding as a portion of their overall IT spending. Even if your agency is spending money on data security, if it’s not a line item, it’s invisible. And visibility is critical, given the continual pressure placed upon agency budgets. By establishing transparency, you give the people with the purse strings the feeling they are not just dumping money into a black box. With a clear line item, you can specify which products and services you are purchasing, why they are needed, and against what they are protecting.

2. Be aware of the funds that are available.
   Inside the $550 billion infrastructure bill that President Biden signed into law in the fall of 2021, is a four-year, $1 billion commitment to help state governments implement cybersecurity. That works out to $20 million per state. Develop a plan to spend that money intelligently, effectively, and responsibly. There’s no certainty of continued federal funding after four years, but if you have put in your budget a transparent line item and can demonstrate you have spent the money to good effect, you’ll be making a strong case that your state should take up the funding slack in the future. Right now, the money is there — it’s irresponsible not to put it to use to protect taxpayers’ data.

3. Implement effective technology.
   Regular product upgrades and security patches need to be included in your transparent budget. Failure to keep products current with security patches is a major cause of the most damaging breaches. But making sure your software is up-to-date is a baseline. To give your agency maximum protection, you’ll need to implement a Zero Trust cybersecurity strategy. Zero Trust is mandated for federal agencies, and it should be the centerpiece of State and Local agency defense as well. Zero Trust applies multi-factor authentication, least-privilege access, micro-segmentation of infrastructure, and data isolation to limit the chances of a successful attack and greatly reduce possible damage. By executing the Zero Trust principle of isolation, you will keep malware completely off your users’ systems, making it impossible for ransomware to encrypt your data. Remote Browser Isolation (RBI) is a highly effective tool to implement isolation in a Zero Trust strategy. RBI should be among the technologies covered by your cybersecurity budget line item.

Bottom line

Effective IT leaders have mastered not only the technology- but the budget process. Always aware that some might view their realm as a cost center, they come fully prepared to budget meetings, ready to defend vital allocations. A cybersecurity line item is the first step to gaining funding. It’s important also to demonstrate your ability to make good on newly available federal funds by investing in technologies to implement a Zero Trust strategy — including tools like RBI that prevent ransomware from ever reaching your users’ systems.