2023-2024 SLED Cybersecurity Priorities Report

Research that identifies the unique needs, priorities, concerns, and trends affecting state, local government, and educational leaders.

Don’t have time to read this? Take it with you!


We're all SLED, but we're not all the same

It’s important to note that, while SLED (State, Local, Education) is a common and convenient way to look at a certain set of public-serving entities, there are serious differences between the groups that comprise it.

State and local government includes state-level agencies like the Department of Motor Vehicles, municipal agencies like the police department, K-12 schools, as well as colleges and universities, public utilities, and more. Although this diverse array of organizations is typically discussed together under the SLED umbrella, our experience and the research in this report have shown that understanding and addressing the unique challenges of each group requires an appreciation of its diverse characteristics.

Table of Contents

Current Chapter:

Welcome to the 2023-2024 SLED Cybersecurity Priorities Report

A note to readers from the SLED CPR Executive Director Curt Wood.

It is a privilege to collaborate with the contributors and collectors of the insights within this report. This report is created and designed to provide support for your cybersecurity initiatives. The report also aims to raise awareness of the unique challenges faced by SLED leaders like you that protect systems and services we all rely on.

During my time as CIO for the Commonwealth of Massachusetts, I was fortunate to have the backing of other executive officers and legislators who understood the need for resiliency. The programs my team championed—and described in last year’s CPR—continue to evolve and improve, to the credit of the current leaders. We all thrive when we share our successes and our concerns. The openness of our community often separates it from similar teams in more competitive commercial environments.

It is rewarding to lead the content strategy and outreach for this year’s report. As Executive Director of the report, I hope that the information will be useful to you in the coming year. I also hope that you will reach out to me, and to the CPR team, with your feedback, stories, and input into next year’s strategy.

Thank you for all that you continue to do to protect our communities.

Curt Wood 500x500
Curt Wood Executive Director of the SLED CPR, Former CIO for the Commonwealth of Massachusetts

Strategies for implementing Whole-of-State cybersecurity

The primary goal of Whole-of-State (WoS) cybersecurity is to overcome expertise and resource deficiencies at the local level and establish a unified cybersecurity strategy that addresses cybersecurity risks across the state and its various departments and agencies. By sharing threat intelligence, best practices, and resources, entities can collectively identify and respond to emerging threats more effectively. A collective defense approach creates an effective network, where the security posture of each organization improves as the collective strength increases. Organizations that collaborate and cooperate for a united defense are inherently safer.

Benefits of WoS cybersecurity for SLED

Adopting a WoS approach can strengthen and enhance cybersecurity infrastructure across state and local government and the education sector. A report examining WoS cybersecurity implementations notes that in one state, “The CIOs agree that a cooperative approach is the best way to ensure an adequate defensive posture across disparate state and local entities, where the availability of skills and resources can vary widely.”


The combined purchasing power of collaborative approach enables participating organizations to obtain more and better cybersecurity tools. Having the same solutions consistently and widely deployed simplifies and reduces complexity.

Information sharing and collaboration between various state agencies and departments and education institutions is a benefit of WoS cybersecurity that can lead to more efficient use of resources, and better coordination between various departments and agencies. The exchange involves shared situational awareness and common threat intelligence, which can help groups identify and respond to cybersecurity threats quickly and effectively.

One of the biggest benefits from a Whole-of-State program is the increased breadth of data collection. Data collection is the foundational element of data analytics, which drives much of data security.
Tina Carkhuff 180x180
Tina Carkhuff Industry Advisor, Splunk

“In a good Whole-of-State program, you can collect your data in such a way that you have uniform standards regardless of where that data sits, providing the opportunity to implement better and more reliable analysis with that data,” explains Tina Carkhuff, Industry Advisor at Splunk and former CIO for the City of Houston.

Risk awareness, management, and mitigation efforts are enhanced through WoS. The enhancement is accomplished by a comprehensive and coordinated approach to risk management, which can help identify and prioritize cybersecurity risks and develop effective risk mitigation strategies.

A WoS strategy also improves compliance with regulatory standards. Many states and local governments and education institutions must comply with various cybersecurity regulations and standards. WoS cybersecurity can help support compliance by promoting a more holistic, synchronized approach to cybersecurity, while not compromising individual agency compliance requirements.

For more information on the benefits and challenges of a WoS cybersecurity, download the 2023-2024 SLED CPR.

Strategies for implementing WoS cybersecurity

One of the key strategies for implementing WoS cybersecurity is to establish a governance framework. This framework should define the roles and responsibilities of various state agencies and departments, education institutions, and private sector partners, as well as the policies and procedures for information sharing and collaboration.

Another element of WoS strategy is to build an integrated cybersecurity strategy. This strategy involves a complete and collaborative approach to cybersecurity that includes shared situational awareness, common threat intelligence, and integrated risk management, combined with a standardized incident reporting and response framework. A well-defined cyber incident response playbook that outlines the basics of incident management protocols is helpful when coordinating responses across multiple agencies, jurisdictions, and incident locations.

Developing a culture of cybersecurity awareness is essential for implementing WoS cybersecurity. This involves educating employees, contractors, and stakeholders on the importance of cybersecurity, and promoting best practices for cybersecurity hygiene and awareness. Another essential component of cybersecurity culture is the need to ensure our political and executive leadership (state, local, and education level) own and lead on this front.

Effective WoS cybersecurity also depends on deploying advanced cybersecurity technologies. This includes threat intelligence platforms, security information and event management (SIEM) systems and endpoint detection and response (EDR) tools.

Part of the beauty in a Whole-of-State program is the combination of purchasing power and economies of scale. Even the smallest organizations can realize the benefits of the best products, supported with centralized expertise, because of this collaboration.
Tamer Baker 180x180
Tamer Baker Chief Technology Officer, Zscaler

For more information on how to evangelize WoS Cybersecurity and the State and Local Cybersecurity Grant Program (SLCGP), download the 2023-2024 SLED CPR.

Retain and develop cybersecurity talent

Attracting and retaining cybersecurity talent is challenging for SLED organizations. The talent challenge is about more than just IT protection. The challenge involves safeguarding citizens' data, ensuring government programs and services remain accessible and uninterrupted to the public, and maintaining public confidence in the government to deliver critical services when needed.

The landscape of cyber talent in state and municipal governments

Recent trends in staffing paint a picture of organizations struggling to close gaps in cybersecurity roles. A report from govtech.com notes, “CISOs are grappling with talent gaps and weak relationships with local agencies. The latter has emerged particularly as an obstacle to whole-of-state cybersecurity and new federal grants requiring collaboration with local partners.”

In a 2022 NASCIO report, 62% of CISOs surveyed agree that personnel don’t have the knowledge, skills, and behavior to meet all the current and anticipated cybersecurity requirements. In the same survey, 50% of CISOs shared that there just aren’t enough available cyber professionals.


Download the 2023-2024 SLED CPR for more information on the key challenges in attracting and retaining cybersecurity talent in SLED and the impact of staff turnover on cybersecurity operations.

Create a robust talent retention strategy

Recruiting and supporting candidates with diverse backgrounds and experiences can improve the odds of building skilled teams in this competitive market. SLED organizations that are succeeding with this strategy have four common practices including:

  • Build a positive and inclusive cybersecurity culture
  • Recognize and reward cybersecurity excellence
  • Provide opportunities for professional growth and advancement
  • Implement flexible work arrangements and work-life balance initiatives

Read more about these practices by downloading the full report.

Lessons from the field

As the Chief Information Security Officer for the state of North Dakota, Michael Gregg understood the importance of effective talent development and retention. He worked with leadership to promote cybersecurity education, embedding it into the curriculum from kindergarten through high school. The initiative not only builds a foundational understanding of cybersecurity but also nurtures future professionals.

Gregg emphasizes the value of engaging youth through innovative programs like Cyber Madness.

These initiatives offer not just learning opportunities but also scholarships, sparking interest in cybersecurity careers among students.
Michael Gregg 500x500
Michael Gregg CISO, State of North Dakota

Additionally, Gregg stresses the significance of providing a comprehensive learning environment, offering exposure to a wide range of security tools and duties—a unique advantage of the public sector over the private sector.

Another key aspect of the strategy implemented in North Dakota is its focus on developing soft skills alongside technical expertise. By training cybersecurity professionals in effective communication and presentation, organizations are better equipped to articulate complex ideas and findings, an essential skill in this field.

The programs in North Dakota also emphasized efforts in promoting diversity and inclusion, particularly in increasing participation from underrepresented groups. This focus underscores the importance of a diverse and inclusive cybersecurity workforce.

The programs and initiatives implemented in North Dakota by Michael Gregg offer a holistic and innovative approach to addressing the challenges of recruiting and retaining cybersecurity talent in SLED organizations, blending education, skill development, diversity, and technological advancement.

Download the report

Cyber insurance for SLED

With the increasing frequency and sophistication of cyber attacks, state and local government agencies and education institutions are searching for effective means to limit their financial liability and operational impacts, especially in cases where attackers are successful. A commonly desirable solution is cyber insurance. A report from the United States Government Accountability Office (GAO) reveals that the total direct written premiums for cyber insurance increased by about 50%—from $2.1 billion to $3.1 billion—from 2016 to 2019.

Unfortunately, as attacks grow in frequency and impact, policy premiums are rising; at the same time, coverage is becoming more limited—or in some cases, simply unavailable. Consequently, SLED leaders are now re-evaluating whether cyber insurance is the right tool or approach for transferring or limiting cyber-related risks. Like other forms of insurance (automobile, home, life, etc.), cyber insurance provides a means of transferring risk. While that sounds great at face value, there are some important factors to weigh before choosing cyber insurance. Aside from the simple risk/benefit analysis, government agencies and other public sector entities also face potential legislative or bureaucratic hurdles.

Does cyber insurance make sense for SLED? Download the full report to find out.

Benefits and pitfalls of cyber insurance

We have found that cyber insurance can be a valuable tool in some cases, but it’s essential to fully understand the potential pros and cons to make an informed decision. Here are some of the key advantages and potential challenges of cyber insurance facing public sector organizations.

Benefits of cyber insurance

  • Financial risk mitigation
  • Incentive for enhanced cybersecurity
  • Expertise and post-breach services
  • Training and awareness resources

Potential pitfalls of cyber insurance

  • Limited and varied coverage
  • Potential for complacency
  • Rising costs and affordability
  • Complex claims and disputes
  • Overreliance on insurance in decision-making

Learn more about these benefits and pitfalls, determining the right amount of cyber insurance, hybrid approaches to insurance and more, by downloading the full report.

Assessing the cyber threat landscape

Cybercriminals are often indiscriminate in selecting targets, and that means public sector organizations face the same persistent siege of threats on the internet at large. Some threat actors, however, are more selective in choosing victims, and state and local government, educational institutions, municipal utilities, and other public sector entities are often at the top of their lists.

It’s crucial for organizations to have sources for gathering current threat intelligence, and processes for ensuring IT security teams are aware of emerging and active threats. However, resource limitations and regulatory hurdles can sometimes make the effort more challenging.

For the complete chapter, download the 2023-2024 CPR.

Leveraging partnerships and collaborations

An increasing number of SLED institutions are leveraging partnerships and collaborations to enhance cybersecurity capabilities. By sharing threat intelligence, best practices, and resources, public institutions can build a more robust defense against cyber threats. These collaborations typically provide access to expertise and technologies that individual institutions might not be able to afford on their own. These partnerships can take various shapes, from formal agreements with government agencies and industry partners to informal networks of cybersecurity professionals. Collaborations can also extend to participating in national and international cybersecurity initiatives, which can provide additional resources and insights.

What's Working?

Finding, applying, and maintaining good threat intelligence is a complicated task. When threat intelligence is good, its useful shelf life is short because adversaries change tactics quickly to evade detection. For stale threat intelligence sources, it’s important to remove those from inventory to prevent false positives. Despite complexities, there are a few techniques that are gaining traction.

1. The constellation SOC

The Constellation SOC (security operation center) is named after the graphical view of a network map connecting disparate SOCs for the purpose of shared threat intelligence. Each SOC may have its own technology, staff, and mission. However, there’s value in sharing intelligence between SOCs for the collective good of the region. This could be sharing threat intelligence between a community college system and state government or water utility and a research lab. The thinking is simple. Regionally or industry specific, these organizations see events that others should know about and sharing the emerging intelligence only stands to benefit all stakeholders. Some of the most successful sharing consortiums have set up a memorandum of understanding between like-minded entities. This includes leveraging technologies such as Sigma to connect disparate systems for sharing emerging indicators of attack or indicators of compromise.

2. Sharing meta data or better yet, sharing the search

One concern of everyone is oversharing. It’s critical to have some parameters on information sharing to avoid sharing sensitive information. Historically we’ve relied on Stix or Taxii feeds as our vehicle. However, for some organizations and agencies with similar security analytics stacks, sharing the search format allows a little more detail than a regular threat feed. When it comes to search format dissection the results can be of more value to Security Analysts. An analyst can see the log source required, the expected data source extracted, and perhaps the characteristics of the indicator of attack. This allows the analyst to adjust the search format to match local instantiations and indexes of security analytics tooling for relevant and timely identification of emerging intelligence.

3. Leaning on MSSP's and MDR providers

When an MSSP (managed security service provider) or MDR (managed detection and response) company has expertise in one vertical and has multiple clients under management, it can create a scenario where emerging threat intelligence at one organization benefits all other clients. This of course comes with the caveat that one service provider is capable of threat aggregation, so it’s up to each consumer to ask the right or relevant question and conduct a thorough purchase evaluation. The benefit of this approach is that it moves a conversational threat brief to a technical and tactical identification of attack, which is the most valuable form of cyber intelligence.

Download the report

Looking forward to 2024

The SLED CPR is the product of dozens of conversations with NuHarbor Security SLED clients, SLED IT leaders, and cybersecurity experts over the course of 2023. It was designed to represent the impressions and concerns of SLED decision makers, and for the first time deliver broad cybersecurity information tailored specifically to the SLED marketplace.

With the second annual SLED CPR complete, we also want to share our expectations for the future. We’ll revisit these predictions in next year's 2024-2025 CPR and see how close we were. Download the 2023-2024 CPR where we reconcile our predictions from last year's 2022 report. 

Prediction 1: Target on their backs

In the SLED sphere, organizations will face increased cyber attacks from nation-state actors and hacktivists, who will target their critical infrastructure, sensitive data, and public services. These attacks will aim to disrupt operations, extort ransom, or influence political and social agendas. SLED organizations will need to invest in advanced threat intelligence, incident response, and cyber resilience capabilities to counter these threats.

Prediction 2: AI-driven threat hunting becomes standard

With the increasing sophistication of cyber threats, SLED agencies, which often operate with limited resources, will likely turn to AI-driven threat hunting tools. These tools can autonomously sift through mountains of data to identify potential threats before they manifest as actual breaches. By 2024, such proactive measures will become a standard part of the cybersecurity toolkit within the SLED market segment, not just a nice-to-have feature.

Prediction 3: Education sector targeted by Ransomware-as-a-Service (RaaS)

Schools and universities are gold mines of personal information and intellectual property, yet they're traditionally under-protected. We foresee a sharp rise in targeted ransomware attacks, particularly through RaaS models, which enable lower-skilled hackers to lease ransomware from more experienced attackers. This could result in an increase in disruptions to educational institutions, prompting a more aggressive cybersecurity posture.

Prediction 4: Trust nothing, verify everything

SLED organizations will embrace zero trust as a security paradigm, shifting from perimeter-based to identity-based security models. Zero trust will require entities to verify the identity and context of every user, device, and request before granting access to their resources. This will help them reduce the attack surface, prevent unauthorized access, and mitigate insider threats. Zero trust will also involve implementing multi-factor authentication, encryption, micro-segmentation, and continuous monitoring.

Prediction 5: Cybersecurity talent grows in-house

Faced with a perennial talent shortage and high competition for cybersecurity professionals, state and local governments and educational institutions will start cultivating their own cybersecurity workforce. Expect to see more in-house training programs, apprenticeships, and partnerships with local universities and coding bootcamps to grow their cybersecurity capabilities organically.

Prediction 6: Cybersecurity mergers and acquisitions surge

As threats grow more complex, smaller SLED agencies will struggle to keep pace. This may lead to a trend where these agencies will partner with larger, more technologically advanced entities through mergers or acquisitions—a path less tread in the public sector. This would enable smaller agencies to benefit from the cybersecurity infrastructure of larger bodies, ensuring better protection against cyber threats.

Prediction 7: All for one, one for all

SLED organizations will increase their collaboration and information sharing on cybersecurity issues, both within and across sectors. Whole-of-State cybersecurity initiatives will gain momentum, and organizations will form networks and alliances to exchange best practices, threat intelligence, and incident response support. Organizations will also participate in joint initiatives and exercises to improve their preparedness and coordination. This will help them build trust, foster innovation, and enhance collective defense against cyber threats.

Contributing sponsors

Thank you to all of our sponsors. These sponsors didn't approach us; their participation is a result of specific and frequent mention by the SLED leaders who are helping us to understand their challenges. You won't find product recommendations or use cases. Instead, these vendors gave us access to their experts to better inform the CPR with data and trends we might not see otherwise.


Splunk Inc. (NASDAQ: SPLK) turns data into doing with the Data-to-Everything Platform. Splunk technology is designed to investigate, monitor, analyze and act on data at any scale.

Learn more at splunk.com/publicsector.

Zscaler_BrandAssets_LogoLockup (1)

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyber attacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.

Learn more at zscaler.com.


Recorded Future is the world’s largest intelligence company. Recorded Future’s Intelligence Cloud provides complete coverage across adversaries, infrastructure, and targets. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape. It empowers countries and organizations to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,500 businesses and government organizations across more than 60 countries.

Learn more at recordedfuture.com.


NuHarbor Security is a leading national cybersecurity services firm, supporting the diverse needs of hundreds of clients with clear, comprehensive, and outcome-based solutions. We support only best-of-breed security technologies with thoroughly trained and vetted analysts. We make cybersecurity easier for our clients by integrating the most comprehensive set of security services in the market, from compliance and offensive testing to award-winning 24×7 managed security operations. What’s more, NuHarbor advisors analyze information from multiple sources to deliver the most well-informed strategies for building, improving, and maintaining your cybersecurity program.

NuHarbor makes it easy to secure what matters most to you. Learn more at nuharborsecurity.com.

Explore comprehensive cybersecurity protection today.

  1. Consult with an expert

    Talk to one of our cybersecurity experts so we can better understand your needs and how we can help.

  2. Agree on a plan

    Based on your objectives we’ll create a tailored plan to meet your cybersecurity needs.

  3. Start maximizing your protection

    Experience peace of mind knowing what matters most is secure.

Consult with an expert