Fairfax County Government

After nearly four decades in IT and cybersecurity and over two decades as the CISO for one of the largest counties in the U.S., I’ve witnessed the cyber threat landscape evolve from nuisance malware to highly sophisticated, targeted attacks on critical infrastructure. Yet, we’re still having the same conversations we had a decade ago.

At the 2025 National Association of Counties (NACo) Legislative Conference, the conversations around cyber challenges were painfully familiar—limited budgets, cultural inertia and threats outpacing the solutions. Leadership accountability is still missing despite rising threat volumes and clear public impact.

Cyber Risk Is a Leadership Issue

Leadership accountability cannot exist without clear ownership. Every local government must assign cybersecurity responsibility to a qualified chief information security officer (CISO). They should possess the technical acumen to manage threats and implement controls and the leadership skills to engage across departments and articulate risk in business terms. For resource-constrained jurisdictions, a V-CISO engagement can be a cost-effective alternative to hiring a full-time employee, bringing deep strategic and operational expertise at a fraction of the cost. However, the use of a V-CISO does not absolve internal leadership of responsibility. If a V-CISO is utilized, there must still be a clearly identified person within your organization who is accountable for making decisions on risk mitigation, co-presenting the cybersecurity strategy and advocating for the investments required to meet your program’s needs. Outsourcing the expertise is smart; outsourcing the accountability is not.

The cybersecurity lead must have direct and regular access to executive leadership, including county executives, city managers, boards and mayors. Without this access, critical risks get delayed, distorted or deprioritized before they reach decision-makers.

This structure allows for timely risk escalation to leadership, informed decision-making grounded in technical and business realities and shared accountability between IT/security leaders and executive leadership.

Faster Risk Escalation: Direct reporting structures reduce the time it takes for high-risk issues to reach leadership by 50 percent, enabling quicker mitigation.

Clearer Accountability: Role clarity improves cross-departmental response coordination by 40 percent in cyber incident drills, ensuring faster containment and recovery.

Improved Strategic Alignment: CISOs with executive access report a 60 percent increase in cybersecurity initiatives aligning with agency-wide priorities, such as citizen services and operational continuity.

Cybersecurity is an enterprise risk that demands ownership at the executive level. Local government leaders—county executives, department heads, boards and mayors—must treat cyber risks like fiscal, operational or public health risks. Leadership accountability transforms cybersecurity from a reactive IT issue into a proactive enterprise risk management function. This includes understanding the risks in business terms, making risk decisions based on data and accepting/mitigating risks formally, with documentation and accountability.

A documented Risk Notification Program ensures that leadership remains informed, engaged and accountable. When leadership takes ownership of cyber risk, measurable improvements follow.

Reduction in Attack Surface: Leadership-driven vulnerability management programs can reduce critical vulnerabilities by 30 percent within six months, ensuring that high-priority risks are addressed promptly.

Improved Incident Response Times: Engaged leadership can reduce Mean Time to Detect (MTTD) from days to hours and Mean Time to Respond (MTTR) from weeks to days by investing in advanced detection tools and incident response training.

Using Common Sense and Being Realistic—A CISO’s Guidebook

CISOs must recognize that there will be times when leadership deems a risk acceptable. That’s why a formal Risk Notification Program is essential. If leadership accepts a risk, document it and follow up accordingly. Always provide at least three recommendations for mitigating risks, complete with associated costs.

Be realistic with your options, especially regarding costs. If the cost is high, propose a phased approach—Year 1 will cost X, Year 2 will cost Y, and so on. Approaching leadership with an unaffordable cost and no plan will result in risk acceptance or outright rejection. Document these interactions and ensure leadership acknowledges them.

Funding Isn’t the Only Problem—But It’s a Big One

Despite well-known vulnerabilities, many local governments remain underfunded and under-resourced. The refrain of ‘cyber is too expensive’ continues, even as ransomware attacks cost jurisdictions millions and erode public trust.

The State and Local Government Cybersecurity Program (SLGCP) funding from the federal government is a welcome catalyst, but not a permanent solution. Those funds should be viewed as seed money to mitigate high-priority risks, build foundational capabilities and create early momentum.

Cybersecurity is a core government service. Protecting citizens through digital platforms must become second nature. That protection requires consistent investment and prioritization in the local budgeting process.

Reduction in Ransomware Impact: Leadership investment in endpoint detection and response (EDR) solutions can reduce ransomware downtime by 50 percent and recovery costs by 30 percent within a year.

Enhanced Employee Engagement: Leadership-driven cybersecurity training programs can reduce phishing simulation click rates from 20 percent to under 5 percent within six months, fostering a culture of security awareness. 

At the same time, future federal funding must increase in line with the scale and sophistication of threats and go directly to local governments, allowing CISOs and CIOs to act swiftly and strategically.

In short, federal support can kick-start local resilience, but the local government is accountable for building and sustaining cybersecurity maturity. The Vendor Role in Cost and Risk

While local governments are responsible for prioritizing cybersecurity, solution providers also have a role to play. Vendor pricing models often fail to account for the vastly different realities between large cities and small-town governments. 

Vendors must acknowledge this disparity and adapt their pricing models accordingly. Offering flexible tiers, cooperative agreements or scaled-down solutions for smaller municipalities is an innovative, sustainable business model. 

Cloud Adoption: Accountability Doesn’t Disappear

As more local governments move systems and services to the cloud, there’s a dangerous misconception—it’s in the cloud, so it’s secure. Accountability for data security remains with the local government, even in the cloud. Migrating to cloud services doesn’t eliminate responsibility; it redefines how that responsibility must be managed. 

Before selecting a cloud provider, governments must require:  

• Security attestations and third-party risk assessments.

• Up-to-date SOC 2 Type II certifications and ISO/IEC 27001 compliance.

• A complete Software Bill of Materials (SBOM).

• Detailed data classification alignment and segregation practices.

• Clear accountability for breach notification timelines. 

This results in faster recovery times. Leadership investment in cloud-based disaster recovery solutions can reduce Recovery Time Objective (RTO) from 48 to 12 hours and Recovery Point Objective (RPO) from 24 to 4 hours within a year.

It’s not just about trust—it’s about due diligence. Government data, especially citizen data, must be protected to the same or greater standard in the cloud than on-premises. 

Culture and Performance: The Missing Metrics

Technology alone cannot solve cybersecurity challenges without cultural alignment. When leaders exempt themselves from policies, like skipping MFA or cyber training, it sends a clear message—cyber is optional. 

We must establish that cybersecurity is everyone’s responsibility, and leadership sets the tone. This includes documenting exceptions to policy, requiring written acknowledgment of risk from those requesting them and reporting exception metrics regularly to senior leadership. 

Improved Risk Management Metrics: A documented Risk Notification Program can reduce unmitigated risks by 25 percent within a year by ensuring that all risks are either mitigated or formally accepted with accountability.  

Reduction in Security Incidents: Proactive leadership can drive a 20 percent reduction in security incidents annually by addressing root causes and implementing preventive measures. 

Leading from the Front 

Some local governments have made substantial progress in cyber maturity. Where leadership owns risk decisions, empowers CISOs and invests in resilience, you see real results. Others are still operating on legacy assumptions that cybersecurity is a tech problem or an IT cost to be minimized.  

Cybersecurity is no longer solely about hardening networks—it’s about fortifying accountability. It’s not about what tools we buy but the decisions we make. It’s not about outsourcing risk—it’s about owning it.  

Improved Public Trust: Transparent communication about cybersecurity initiatives can improve citizen satisfaction scores by 15 percent within a year. 

Alignment with Business Objectives: Leadership accountability ensures that 90 percent of cybersecurity projects align with organizational priorities, such as protecting critical infrastructure or enabling digital transformation.