Cyber resilience in the public sector: state as target

Threat landscape

Nation-state actors. Espionage, disruption.

Cybercrime. Ransomware, fraud, data theft.

Insiders. Bribery, leaks, sabotage.

Supply chain. Compromised vendors → access to state systems.

Hacktivism. Political protest via digital disruption.

Where the state is vulnerable

Legacy systems with outdated security.

Fragmented architecture — each agency its own controls.

Underinvestment in security relative to critical-infrastructure role.

Skill gap. Top cybersecurity talent in private sector.

Citizen data centralisation — single breach affects millions.

Procurement vulnerabilities — vendor security checks weak.

What is not enough

“Audit annually”. Threats changing weekly.

“Hire a CISO”. Without resources and authority — name only.

“Buy cybersecurity tools”. Tools without operations team are useless.

What works

24/7 security operations centre. Detection, response.

Threat intelligence sharing with private sector, allied governments.

Incident response framework rehearsed. Not only documented.

Vendor security assessment mandatory.

Public-private cyber partnerships.

Citizen breach notification mandatory.

Continuous penetration testing — internal and external.

What to discuss

Cyber budget relative to state IT — should be 8-15%, not 1-3%.

Independent cyber agency vs distributed responsibility.

Cyber regulation — some sectors (healthcare, energy) need a formal mandate.

Citizen data minimisation principle.

International cooperation framework.

Related

• /en/insights/government-trust-public-services/ — trust
• /en/architecture/government-zero-trust/ — zero trust
• /en/insights/government-data-quality-crisis/ — data
• /en/expertise/government-cyber-discipline/ — cyber expertise