Every year, the National Association of State Chief Information Officers (NASCIO) publishes its top 10 list of strategic priorities. To no one’s surprise, cyber security and risk management took the top spot once again in 2024. It’s been No. 1 for over a decade, as unrelenting cyber attacks continue to impact state and local agencies.
Yet in what NASCIO called a “historic first,” digital government services tied cyber security for No. 1 this year. Digital government services — or “e-government” services — are services made available to the public and business community by using information and communication technology.
NASCIO Executive Director, Doug Robinson commented on the tie this way: “Cyber security and digital government are two critical issues for state CIOs and will be for some time.”
Few would argue with that, but remember: It’s a prioritized list. Shouldn’t there only be one No. 1?
With practically everything available online, people want top-notch digital services from the government too. It shouldn’t matter that different agencies handle different things. They shouldn't have to sift through long lists of agencies, find the right website, and create another account to interact with the government. No one should suffer a “time tax” associated with complex searches, confusing processes, time-consuming applications, and long response times. But this is today’s reality for government services for much of the country.
State and local governments are keenly aware. The general public may not realize it, but government leaders care deeply about service delivery — and they’re taking action.
For example, states are investing in public-facing web portals that enable seamless, cross-agency access to every service they offer. When modernizing applications, they apply the latest human-centered design principles to put people first. They combine single sign-on with passwordless multi-factor authentication so users have only a single credential (without a password!) to manage. And they’re innovating with AI-powered digital assistants to bring the future of government services to life.
Without a doubt, great digital experiences help build trust in the government. The intense focus explains why digital services have risen the ranks of the NASCIO Top 10 list all the way to No. 1. However, poor security and privacy practices can undermine everything, so that’s also No. 1. Hence the tie.
Now let’s return to our question: Was that really a surprise? Of course not. From the public’s perspective, great digital services and strong security aren’t separate priorities. They’re one in the same.
Perhaps the biggest surprise in NASCIO’s list was this: Priorities like “availability,” “reliability,” and “resilience” were nowhere to be found. Few things erode trust more than services that just don’t work.
Of course, availability is a core tenet of security alongside confidentiality and integrity, so you could say it’s implied. However, in recent years, the term “resilience” has appeared more explicitly as the foundation of trustworthy systems. Resilience might sound like a fancier word for availability, but there’s more to it than that. Resilience shines a bright light on the key issue: building trust. NASCIO should consider stating it explicitly, just like they do with governance, user experience, accessibility, and third-party risk.
To help organizations enhance resilience, the National Institute of Standards and Technology (NIST) issued two 800-160 Special Publications on trustworthy systems (vol 1) and cyber resilient systems (vol 2). A key quote stands out: “Trustworthiness is the demonstrated ability and, therefore, the worthiness of an entity to be trusted to satisfy expectations, including satisfying expectations in the face of adversity.” In other words, you earn trust when you deliver consistently, even when times are tough.
And times can get tough quickly when systems slow down or stop responding. The cause might be a cyber issue like ransomware or a denial-of-service attack, but it might also be an operational issue like an unexpected traffic spike or human error that turns into a full-blown crisis. Few will forget how the pandemic shut down businesses all around the country, and millions of people flooded states’ unemployment application systems — crashing websites and causing long delays for vital benefits. That sort of failure in the face of adversity helped undermine trust in the government at a critical time.
The good news is that there’s a simple playbook to build trust and resilience into your digital services — without diving into 500 pages of NIST publications. Or waiting for next year’s top 10 list.
OK, we do recommend diving into the NIST 800-160 series, but here are the top five priorities to build resilience immediately into your cyber security and digital services programs:
DDoS mitigation
Attackers use distributed denial-of-service (DDoS) attacks to disrupt services, or sometimes simply to divert attention away from another attack. DDoS attacks overwhelm systems with traffic originating from many sources, making them difficult to stop — even for upstream Internet service providers. But it doesn’t have to be this way. Today, you can connect your digital services to a modern, global connectivity cloud that has the visibility and expertise necessary to identify and stop DDoS attacks.
Secure DNS
Like other core Internet services, the domain name system (DNS) was not designed with security in mind. Attackers can therefore exploit its weaknesses and degrade service quality, redirect users to malicious sites, or intercept email. DNS enhancements like the domain name system security extensions (DNSSEC) protocol evolved to authenticate DNS requests but still did not defend against DDoS attacks. Therefore, a top priority should be adopting a secure DNS solution that combines high-performance DNS services with DNSSEC and DDoS protection to ensure your services are always available and protected from DNS-based attacks.
Web application protection
Web platforms are constantly being attacked with ever-emerging threat vectors and tactics. Whether threats are well known and defined by the Open Worldwide Application Security Project (OWASP) or emerging new zero-day threat vectors, a modern web application firewall (WAF) needs to be able to address both at scale. Exposed credential checks, API-centric controls and sensitive data detection within responses are also critical table stakes for a holistic approach to protecting web applications. These controls must constantly be updated with the ever-changing landscape. Therefore, consider a WAF provider that leverages machine learning trained by an extensive global sensor network to identify and respond to these emerging threats.
Application acceleration services
Driving user experience within digital services not only centers around the application architecture and human-centered design principles but also the availability and acceleration of the content to the end user. Advanced caching and content management capabilities that are intrinsically wrapped in the security controls mentioned above are critical components to driving performance, resiliency, and ultimately trust in those systems. To effectively achieve these goals, providers must have a distributed footprint where acceleration and security are tightly coupled together.
Network acceleration services
Providers that operate the network backbone interconnecting their service nodes or policy enforcement points (PEP) bring another aspect to resiliency. For example, when bottlenecks arise, traffic can be rerouted around congested areas to alternate nodes. This ability to see the end-to-end path and exercise control of how requests and responses are routed in response to real-time conditions significantly drives resilience and performance. Consider a cloud security provider that not only operates with a global distribution of PEPs for security and acceleration services but also the network infrastructure interconnecting those PEPs.
NASCIO’s tie for top CIO priority might have been a historic first, but it was certainly no surprise. To serve and build trust with the public, agencies need both strong cyber security and simple digital experiences. But trust also depends on resilience that ensures critical services are always available in the face of adversity. The top five priorities we discussed will go a long way toward delivering trustworthy, reliable digital services.
And if it wasn’t already obvious, here’s a top recommendation for state CIOs as you consider top priorities for 2025: Talk specifically about “resilience” within the digital government priority. It’s critical to do, yet easier than you think.
Cloudflare offers a suite of services designed specifically for US government and public sector organizations. These services enable organizations to build fast, reliable, and scalable services while enhancing security across all endpoints, users, and clouds. Services are delivered from a global, highly resilient cloud network with built-in security and performance. With Cloudflare, organizations can address both of the NASCIO priorities without adding complexity.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
This article was originally produced for GovTech.
Learn more about how to achieve Zero Trust security requirements for the federal government in the A roadmap to Zero Trust architecture guide.
Scottie Ray — @H20nly
Principal Solutions Architect, Cloudflare
Steve Caimi — @stevecaimi
Principal Product Manager, Cloudflare
After reading this article you will be able to understand:
How governments are working to enhance digital services
Why resilience is essential for building trust
Five priorities to build resilience in cyber security and digital services