By Indiana Office of Technology Outreach Team

When you travel the state of Indiana for a little over a year talking about cybersecurity with local governments, it is difficult to encapsulate the experience in short order.

The range of perspectives, the complexities of the challenges, and the dedication of the people you meet offer subjects that could be discussed at length.  More narrowly focused topics, such as ransomware and business email compromise (BEC) threats, as well as access to IT and cybersecurity expertise, together with the significant penetration of cybersecurity insurance, cultural inhibitors to governance and ownership, and many others would illustrate the varied strategies that have evolved to protect local government data and services.  It was an educational and rewarding experience.

Before diving headlong into our experience, we must say that Indiana is a beautiful state and Hoosiers are the most welcoming individuals.  Visiting with state and local government representatives from 92 counties required some serious time and mileage; thankfully, the scenery and hospitality made the long drives enjoyable.

Local government officials are aware of the threats they face and seem to take the challenge seriously. We found a collective theme of constraints: funding, tools, expertise, and, at times, executive cohesiveness. Still, the capabilities in place with most local government operations are beyond what many assume, and they are checking many of the important boxes.  At the same time, in a day and age when even the best run organizations are breached, much work remains to be done at the local level.

We pursued our listening tour with three primary objectives.  First, we wanted to better understand the cybersecurity environment statewide.  Second, we needed to build and strengthen relationships and lay the foundation for an integrated cybersecurity community. Third, we sought to gather information that would help us craft a “whole of state” cybersecurity plan.

We found the environments to be as diverse as expected, consistent with some general assumptions, and different with each organization.  We put a good foot forward toward building the trust imperative for an integrated cybersecurity community.  We followed up on every question, and, more importantly, we responded with action to the needs expressed.  Through the year, the Indiana Office of Technology (IOT) added to the portfolio of services the state could offer to offset locals’ costs and constraints (e.g. – secure email, cybersecurity training).

Finally, we’ve incorporated what we learned into our draft of the State’s whole of state cybersecurity plan for the federal State and Local Cybersecurity Grant Program (SLCGP). Getting each local government to where they want and need to be, will be a long process, in which we hope the SLCGP funds can assist.  Our traveling efforts were a solid step to that end. Success is difficult to measure for this particular effort; however, openness to our message by the local governments, executive support for the necessary resources, and empathetic team members eager to help resulted in the request of a 2023 Listening Tour. We expect this coming year to be even more productive in terms of advancing the cybersecurity capabilities of local governments, and we look forward to enhancing our relationships with local officials and their IT teams – the real protectors of Hoosiers’ data.