Every year, the National Association of State Chief Information Officers (NASCIO) publishes its top 10 list of strategic priorities. To no one’s surprise, cybersecurity and risk management took the top spot once again in 2024. It’s been No. 1 for over a decade, as unrelenting cyber attacks continue to impact state and local agencies.
Yet in what NASCIO called a “historic first,” digital government services tied cybersecurity for No. 1 this year. NASCIO Executive Director Doug Robinson put it this way: “Cybersecurity and digital government are two critical issues for state CIOs and will be for some time.”
Few would argue with that, but remember: It’s a prioritized list. Shouldn’t there only be one No. 1?
GREAT DIGITAL SERVICES BUILD TRUST
Before we get to that, let’s talk about the current state of digital government services.
With practically everything available online, people want top-notch digital services from the government too. It shouldn’t matter that different agencies handle different things. They shouldn't have to sift through long lists of agencies, find the right website and create another account to interact with the government. No one should suffer a “time tax” associated with complex searches, confusing processes, time-consuming applications and long response times. But this is today’s reality for government services for much of the country.
State and local governments are keenly aware. The general public may not realize it, but government leaders care deeply about service delivery – and they’re taking action.
For example, states are investing in public-facing web portals that enable seamless, cross-agency access to every service they offer. When modernizing applications, they apply the latest human-centered design principles to put people first. They combine single sign-on with passwordless multifactor authentication so users have only a single credential (without a password!) to manage. And they’re innovating with AI-powered digital assistants to bring the future of government services to life.
Without a doubt, great digital experiences help build trust in the government. And the intense focus explains why digital services have risen the ranks of the NASCIO Top 10 list all the way to No. 1. But poor security and privacy practices can undermine everything, so that’s also No. 1. Hence the tie.
Now let’s return to our question: Was that really a surprise? Of course not. From the public’s perspective, great digital services and strong security aren’t separate priorities. They’re one in the same.
RESILIENCE BUILDS TRUST TOO
Perhaps the biggest surprise in NASCIO’s list was this: Priorities like “availability,” “reliability” and “resilience” were nowhere to be found. Few things erode trust more than services that just don’t work.
Of course, availability is a core tenet of security alongside confidentiality and integrity, so you could say it’s implied. But in recent years, the term “resilience” appears more explicitly as the foundation of trustworthy systems. Resilience might sound like a fancier word for availability, but there’s more to it than that. Resilience shines a bright light on the key issue: building trust. And NASCIO should consider stating it explicitly, just like they do with governance, user experience, accessibility and third-party risk.
To help organizations enhance resilience, the National Institute of Standards and Technology (NIST) issued two 800-160 Special Publications on trustworthy systems (vol 1) and cyber resilient systems (vol 2). A key quote stands out: “Trustworthiness is the demonstrated ability and, therefore, the worthiness of an entity to be trusted to satisfy expectations, including satisfying expectations in the face of adversity.” In other words, you earn trust when you deliver consistently, even when times are tough.
And times can get tough quickly when systems slow down or stop responding. The cause might be a cyber issue like ransomware or a denial-of-service attack, but it might also be an operational issue like an unexpected traffic spike or human error that turns into a full-blown crisis. Few will forget how the pandemic shut down businesses all around the country, and millions of people flooded states’ unemployment application systems – crashing websites and causing long delays for vital benefits. That sort of failure in the face of adversity helped undermine trust in the government at a critical time.
The good news is that there’s a simple playbook to build trust and resilience into your digital services – without diving into 500 pages of NIST publications. Or waiting for next year’s top 10 list.
TOP 5 PRIORITIES FOR STATE AND LOCAL GOVERNMENTS
OK, we do recommend diving into the NIST 800-160 series, but here are the top 5 priorities to build resilience immediately into your cybersecurity and digital services programs:
1. DDoS mitigation
Attackers use distributed denial-of-service (DDoS) attacks to disrupt services, or sometimes simply to divert attention away from another attack. DDoS attacks overwhelm systems with traffic originating from many sources, making them difficult to stop – even for upstream Internet service providers. But it doesn’t have to be this way. Today, you can connect your digital services to a modern, global connectivity cloud that has the visibility and expertise necessary to identify and stop DDoS attacks.
2. Secure DNS
Like other core Internet services, the domain name system (DNS) was not designed with security in mind. Attackers can therefore exploit its weaknesses and degrade service quality, redirect users to malicious sites, or intercept email. DNS enhancements like the domain name system security extensions (DNSSEC) protocol evolved to authenticate DNS requests, but still did not defend against DDoS attacks. Therefore, a top priority should be adopting a secure DNS solution that combines high-performance DNS services with DNSSEC and DDoS protection to ensure your services are always available and protected from DNS-based attacks.
3. Web application protection
Web platforms are constantly being attacked with ever-emerging threat vectors and tactics. Whether threats well known and defined by the Open Worldwide Application Security Project (OWASP) or emerging new zero-day threat vectors, a modern web application firewall (WAF) needs to be able to address both at scale. Exposed credential checks, API-centric controls and sensitive data detection within responses are also critical table stakes for a holistic approach to protecting web applications. These controls must constantly be updated with the ever-changing landscape. Therefore, consider a WAF provider that leverages machine learning trained by an extensive global sensor network to identify and respond to these emerging threats.
4. Application acceleration services
Driving user experience within digital services not only centers around the application architecture and human-centered design principles, but also the availability and acceleration of the content to the end user. Advanced caching and content management capabilities that are intrinsically wrapped in the security controls mentioned above are critical components to driving performance, resiliency, and ultimately trust in those systems. In order to effectively achieve these goals, providers must have a distributed footprint where acceleration and security are tightly coupled together.
5. Network acceleration services
Providers that operate the network backbone interconnecting their service nodes or policy enforcement points (PEP) bring another aspect to resiliency. For example, when bottlenecks arise, traffic can be rerouted around congested areas to alternate nodes. This ability to see the end-to-end path and exercise control of how requests and responses are routed in response to real-time conditions significantly drives resilience and performance. Consider a cloud security provider that not only operates with global distribution of PEPs for security and acceleration services but also the network infrastructure interconnecting those PEPs.
MAKE SERVICE RESILIENCE AN EXPLICIT GOAL
NASCIO’s tie for top CIO priority might have been a historic first, but it was certainly no surprise. To serve and build trust with the American public, agencies need both strong cybersecurity and simple digital experiences. But trust also depends on resilience that ensures critical services are always available in the face of adversity. The top 5 priorities we discussed will go a long way toward delivering trustworthy, reliable digital services.
And if it wasn’t already obvious, here’s a top recommendation for state CIOs as you consider top priorities for 2025: Talk specifically about “resilience” within the digital government priority. It’s critical to do, yet easier than you think.
ABOUT THE AUTHORS
Scottie Ray is principal solutions architect on the public-sector team at Cloudflare.
Steve Caimi is principal product marketing manager at Cloudflare.
