From patchwork to unified security: Rethinking state cyber strategies

As state governments accelerate digital modernization, many remain burdened by siloed security systems that make it challenging to share sensitive information securely across agencies. Christian Eng, Senior Director for State and Local Government at Virtru, says the answer lies in adopting a “whole-of-state” approach that unifies security and protects citizen data wherever it resides.

“At its core, whole of state is really a state’s united front to protect citizen data,” explains Eng in a new video produced by Scoop News Group for Virtru. “Now, while that sounds simple upfront, when you start breaking down the layers, it gets really complex, because when you think about the average state, they have 50 agencies on average that they have to manage, and that’s just in the executive branch.” That complexity quickly multiplies when local governments, schools and tribal nations are added.

He noted that today’s fragmented reality often leaves IT leaders trying to manage “a hodgepodge of different file stores.” For example, Eng said some agencies run Microsoft 365, others rely on Google Workspace and another handful use on-premises infrastructure. That creates significant challenges for security teams tasked with monitoring and protecting data statewide.

Arizona has emerged as a leader in moving toward whole-of-state security. The state adopted a policy allowing every agency and employee to use any cyber tool purchased at the state level. Arizona also launched a $10 million Statewide Cyber Readiness Program to provide free basic security services to underfunded local and tribal government organizations. “This is huge for them,” Eng says, explaining how it creates a unified approach that helps the state proactively address sophisticated attacks.

Balancing security, cost and compliance is another significant hurdle. Eng emphasized that the “squeaky wheel gets the grease,” and funding for cybersecurity is often at the mercy of a state’s legislative body. Without a high-profile news story about a cyberattack, funding is often deprioritized in favor of more tangible projects. However, federal grants and new compliance requirements like CJIS or IRS Publication 1075 can often push states to fund new cyber tools. The rise of GovRAMP certification, which pre-vets vendors to ensure they are “state-ready,” is also helping to streamline the procurement cycle and give states confidence in their security posture.

States like Utah and Virginia are leading the way in protecting data after it leaves the network. In the wake of the MOVEit breach, Utah sought a solution to prevent vendor access to its files. With Virtru’s approach, which Eng likened to “an armored vehicle around that object,” the vendor cannot access the data, removing a key vulnerability. Virginia has taken a proactive approach by using Microsoft Purview’s Sensitivity Labels to trigger data protection automatically. This allows the state to begin protecting data immediately, even while they are still building their long-term data classification strategy. Eng sees this as a best practice, noting that “many of the states we’ve spoken with make the mistake wanting to figure out phase one first — the data, cataloging, the tagging, the sensitivity labels — which might take five to ten years.”

The whole-of-state approach represents a critical shift from building walls around systems to protecting the data, ensuring a more resilient and secure digital government for all citizens.

Learn more about how Virtru helps to protect and control state and local government data.

This video was produced by Scoop News Group, for FedScoop and StateScoop, and underwritten by Virtru.