Editor's note: This article was originally published in American City & County, which has merged with Smart Cities Dive to bring you expanded coverage of city innovation and local government. For the latest in smart city news, explore Smart Cities Dive or sign up for our newsletter.

The United States faces a cybersecurity crisis. The cost of cybercrime is predicted to hit approximately $10.5 trillion in 2025, according to research by Cybersecurity Ventures. Cybercriminals are already able to penetrate 93% of company networks, according to a Global Information Assurance Certification cyber workforce report last year. The new breed of attacker is armed with tools that increase their speed and effectiveness exponentially.

These threats are hard enough for corporations or other well-funded organizations to defend against, but for state and local governments, the challenge may seem insurmountable. Last year, the Center for Internet Security reported that malware attacks against state and local governments increased 148% and endpoint incidents jumped 313% from the first eight months of 2022 to the same period in 2023.

Thankfully, the situation is more manageable than it seems. In fact, by building a strong culture and commitment to cybersecurity through training and engaging a robust talent pipeline, state and local governments can create a foundation for the future now.

Effective training attracts and retains talent
It’s important to understand that impactful cyber training is more than just a single book, short online video or test. Workforce development isn’t just a one-and-done event. Because of the constantly evolving cyber landscape, immersive, hands-on training can be a great retention tool that drives high-quality workforce development. That means more than just doing annual awareness training and, instead, providing IT and security teams with myriad skills in cyber defense, digital forensics, cloud security, penetration testing, AI security, open-source intelligence, leadership, industrial control systems (ICS) and more. 

This range of training can be incorporated into a local government’s broader workforce strategy. A good way to do this is to have staff rotate into new jobs or skill areas after two- or three-year cycles. Someone serving on the security operations team could take training in another area like digital forensics and move into that role to gain more experience.  

It can be hard to know what training will be most effective for an agency or government’s mission, but there are a few indicators that show a program is serious about the training they provide. 

You can ask if the courses map to both private sector and government training and industry certification frameworks. That includes the NICE framework laid out by the National Institute of Standards and Technology (NIST) as well as the ANAB accreditation done through the American National Standards Institute (ANSI).

Beyond that, make sure there’s a lot of hands-on instruction in the training that is provided by a subject matter expert and current practitioner, not just a career teacher. The industry is changing so quickly that it’s important for training instructors to be on the ground, practicing what they “preach,” to ensure they provide students with real-world skills and can update their courses to meet evolving industry developments. 

Last, go out and ask organizations who have done cyber training who they chose and what they thought about it — particularly if they felt the training and certifications enabled employees to better perform their job, for both the short- and long-term. It’s a simple step but it can reveal a lot.

Building a strong public sector cyber workforce
Training can also be seen as an opportunity to expand the cyber workforce. 

Anyone who is good at critical thinking, solving puzzles or information parsing can make a good cyber analyst. Cybersecurity isn’t just for traditional IT professionals. Finding candidates with the right analytical skills can be just as important as finding those with past technical expertise.

Some of the best cybersecurity professionals come from non-traditional backgrounds such as musicians, linguists, translators, engineers, accountants and math teachers. Engaging high-potential career changers and providing them technical skills training and industry certification can be a real differentiator when it comes to finding and retaining talent, especially since the private sector often pays higher and provides greater benefits.

State and local governments can also partner with programs like the Southeastern Cyber Workforce Alliance (SECWA), which SANS Institute created through a federal grant to help address the cyber workforce shortage by providing no-cost cybersecurity training to high potential, under-resourced students and career changers.

There are a variety of similar programs across the nation, such as the Cyber Workforce Academy - Maryland. These are each a win-win for state and local agencies because they’ll be able to hire talented aspiring cyber pros who are hungry to make a difference — and they’ll come ready with immersive cybersecurity training and SANS GIAC certification.

Training will be fundamental not just to filling critical government positions, but also to creating a mindset across the organization that cybersecurity is important, and it will be addressed regardless of budgets constraints, technology challenges or any other obstacle.

None of the recommendations outlined represent big budget outlays, but they are key to making sure state and local organizations are prepared for whatever comes next, and that they are fostering the talent they have now while preparing the next generation of public sector cyber defenders.

About the Author