Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

How State and Local Governments Can Serve Citizens More Securely

The top 10 priorities of state CIOs underscore the importance of securing applications and APIs in complex environments.

Joshua Goldfarb, Field CISO

October 23, 2023

5 Min Read
Traffic cop wearing bright orange reflective rain gear directing traffic on rainy night in Times Square New York
Source: Chuck Pefley via Alamy Stock Photo

The US National Association of State Chief Information Officers (NASCIO) released its set of State CIO Top Ten Policy and Technology Priorities for 2023 back in December 2022. I'd like to examine these priorities now as they relate to developing, delivering, and securing the applications and application programming interfaces (APIs) that help make state and local governments run — as well as how the complexity of hybrid and multicloud environments factors into the priorities.

1. Cybersecurity and Risk Management

Over time, infrastructure has become significantly more complex and distributed. Most enterprises, including state and local governments, are managing hybrid and multicloud environments. By exposing more touch points, these more complex environments create an expanded threat landscape. State and local governments face intense pressure to continue improving their applications and APIs. However, this fast pace of innovation opens up the potential for vulnerabilities and security issues and necessitates protecting those applications and APIs. Thus, it is no surprise that cybersecurity and risk management are this year's top priority.

2. Digital Government/Digital Services

Now more than ever, state and local governments are tasked with providing digital services to their citizens. Ensuring that services are provided to the appropriate and intended individuals is of the utmost importance. So is ensuring that digital services give citizens the best possible experience. This requires simplifying and optimizing how environments in which we deploy our applications and APIs are managed, as well as having those environments perform properly. Simplifying complexity improves security by removing the potential for human error, as does ensuring that APIs are served to the right citizens in a timely manner.

3. Workforce

New environments require new skills. As state and local government infrastructures have evolved, so have the skills required to manage, operate, maintain, and secure them. This means training the workforce and equipping workers for today's challenges — including securing hybrid and multicloud environments and detecting, analyzing, and responding to security incidents wherever they occur, even in one or more cloud environments.

4. Legacy Modernization

The migration of some applications and APIs to hybrid and multicloud environments has become an integral part of legacy modernization. As states and local governments go through these modernization efforts, their cloud strategies have been and will remain an important piece of the overall picture. Environments will need to be properly secured as they are modernized, regardless of where those environments reside.

5. Identity and Access Management

Applications and APIs connect to (and potentially expose) back-end systems and data. In many cases, they are also the public face of the enterprise. As such, properly controlling access to applications and APIs is a significant challenge for any enterprise, including state and local governments. While identity and access management (IAM) is a broad topic, it has specific applicability to applications and APIs running in hybrid and multicloud environments.

6. Cloud Services

As noted above in point 4, cloud strategy is an important piece of the overall picture within state and local governments. Citizens have grown to expect services to be delivered quickly and efficiently. They also expect significant innovation. This has necessitated that state and local governments move quickly and adapt. Such nimbleness is a key component of any cloud strategy, and an organization's cloud security efforts need to be equally nimble.

7. Consolidation/Optimization

Simplifying and optimizing the management, operations, maintenance, and security of a variety of environments remains an important priority for two main reasons: In many enterprises, entire teams are dedicated to operating and maintaining infrastructure, development, security, and other technology stacks at each different environment. As the number of environments grows, this approach does not scale (it is an n-squared problem, for those who enjoy algorithms).

In addition, as the saying goes: Complexity is the enemy of security. The complexity that hybrid and multicloud environments introduce makes it difficult to universally and consistently apply security policies. It also opens up the potential for human error and oversights that can lead to vulnerabilities. Simplifying this complexity by consolidating and centralizing the management of different environments becomes a necessity.

8. Data and Information Management

Properly securing APIs, which expose back-end systems and data, is an essential piece of protecting data. API security includes a variety of important topics, including ensuring APIs conform to security policy and schema requirements.

While API security is a big focus area, so is API discovery. After all, if an API is not known, it can't be properly inventoried, managed, and secured. When thinking about data and information management, it is important to consider the security of APIs as an important part of that.

9. Broadband/Wireless Connectivity

Part of providing services to citizens involves bringing state and local networks closer to the constituents. Efforts to improve broadband and wireless connectivity have many moving parts, and cloud and edge environments play a role in these efforts. Protecting those networks from unauthorized access is paramount to security.

10. Customer Relationship Management

Citizens have come to expect that state and local governments will provide services within acceptable time frames. This requires serving applications and APIs quickly and efficiently. Service-level agreements (SLAs) will need to be met. A well-designed cloud security strategy is an essential part of achieving these goals and properly managing the relationship with citizens.

In Short: Applications Are Key

State and local government CIOs and their teams face no shortage of challenges. Generally, there are more issues needing attention than there are resources to do them. As such, simplifying the management, operations, maintenance, and security of complex environments becomes key.

In the era of hybrid and multicloud environments, state and local governments will generally see good returns on investments by more efficiently and effectively developing, delivering, and securing the applications and APIs that help make state and local governments run.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights