How Changes in State CIO Priorities for 2024 Apply to API Security

Share This Post

In a previous column, I discussed how the 2023 edition of the National Association of State Chief Information Officers (NASCIO) top 10 priorities underscored the importance of securing applications and APIs in complex environments. Now NASCIO has published its “State CIO Top Ten Policy and Technology Priorities for 2024,” and while some things held over, there are some noteworthy changes.

  • Identity and Access Management and Cloud Services have moved down in priority from numbers five and six to numbers eight and nine respectively (though perhaps not for the reasons you might think)

  • Cybersecurity and Risk Management remains the top priority, but Digital Government/Digital Services has moved up into a tie for first

  • Artificial Intelligence (AI), which didn’t even make the top 10 last year, is now the number three priority

  • Legacy Modernization has remained the fourth priority

Let’s roll up our sleeves and dig into these changes a bit. I’m going to look at them with an eye toward API security in particular.

Identity and Access Management & Cloud Services Fall — but Why?

Identity and Access Management (IAM) and Cloud Services have moved down three rungs in priority from numbers five and six in 2023 to numbers eight and nine respectively in 2024. This may not be because the technologies are suddenly less important, though — they might simply have integrated more deeply into today’s environment.

To me, it seems that they form a vital part of the two priorities tied for first — Cybersecurity and Risk Management and Digital Government/Digital Services — as well as Legacy Modernization.

In other words, state and local governments may have already done significant work on IAM and cloud services, which they build on to meet higher priorities on this list. If that is the case, the change in priority this year very much makes sense.

Cybersecurity & Risk Management Joined at the Top by Digital Government/ Digital Services

Infrastructure has become significantly more complex and distributed over time. Many enterprises are adding more cloud environments, which bring with them additional complexity.

At the same time, increasingly digital-savvy constituents have come to expect more from the state and local governments that serve them. Unfortunately, the force that drives governments to deliver cutting-edge digital functionality is the same force that may introduce additional risk — the need for speed.

Digital Government/Digital Services creates a need for a distributed cloud capability to simplify complexity and to manage and secure digital assets. In this environment of increased complexity and demand, attacks against applications have continued to increase, including attacks against APIs. Attackers have gotten wise to the fact that pressure to innovate and to better serve constituents has created an API-driven world. Not surprisingly, attackers are looking to capitalize on this.

Addressing constituent expectations with the expected alacrity means that, in some cases, applications and APIs may not be properly developed, managed, inventoried, and secured. While there are multiple ways to address this risk, the ability to create and enforce security policy uniformly across development, deployment, and operation is one of the main methods. So is the ability to discover and secure APIs.

Artificial Intelligence Makes a Strong Debut

If you haven’t heard tons of buzz around artificial intelligence (AI) lately, you might be living under a rock. In all seriousness, despite the hype, AI has some real applications — and consequences — for state and local governments.

On the attacker side, AI makes the threat landscape quite a bit broader by introducing new and novel ways in which cyber criminals can increase both the sophistication of their attacks and the speed at which they develop their attacks. On the defensive side, AI provides opportunities to improve and augment detection and mitigation capabilities.

One thing is certain, though: AI is a technology that needs to be applied to specific problems in order to be used successfully. This requires that state and local governments have an AI strategy that helps them explore how best to defend themselves against AI-based or AI-augmented attacks, as well as how to leverage AI internally to solve specific security problems or to better mitigate risk.

Legacy Modernization Remains a Concern

State and local governments continue to strategically migrate applications and APIs to the optimal environments. What the optimal environment is may vary, of course. Sometimes, the migration may be from on-premises to public cloud. In other cases, it may be from on-premises to private cloud/data center. In some cases, the migration may even be back to on-premises from the public cloud.

Regardless of which applications and APIs are heading to what environments, legacy modernization is well underway. The mix of environments that results will need to be properly managed and secured, no matter its complexity. Given this, it makes sense that Legacy Modernization remains a top priority this year.

Why Applications and APIs Are Central

Topics of interest and priorities shift from year to year in many sectors, and state and local government is no exception. One thing that remains constant, though, is that the top priorities need to cover the security of applications and APIs.

Governments must be prepared to deal with the complexity, as well as the management and security responsibilities, that come with the modern infrastructures required to support those applications and APIs. The NASCIO top 10 certainly captures that.

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.