Local governments have made real progress on cybersecurity. Cities run scans, monitor alerts and often partner with Managed Security Service Providers, or MSSPs. From the outside, it looks like cybersecurity is being handled.
The Real Gap: Explaining Decisions, Not Activity
When leaders are asked to explain their cyber posture to city councils, regulators, insurers, auditors or the public, many discover a gap:
- They can describe activity.
- They struggle to explain decisions.
That gap is not technical. It is a governance challenge.
Operational dashboards can show how many alerts were closed. Security teams can report patch cycles and scan results. MSSPs can demonstrate around-the-clock monitoring and response metrics. Yet when a mayor or city manager is asked, “Why did we prioritize this risk over that one?” or “Who owns this exposure?” the answer is often less clear.
Activity is not the same as accountability. Today, accountability is what leadership is being measured on.
What Leadership Is Now Expected to Answer
Operational cybersecurity answers questions like what happened or which system was affected. Leadership is increasingly expected to answer a different set of questions:
- What risks are we accepting?
- Which risks matter most to city services?
- Who owns those risks?
- Can we defend these choices publicly and transparently?
These are governance questions, not technical ones.
They require connecting cyber risk to essential services such as public safety, utilities, finance, permitting and emergency response. They require clarity around risk tolerance and tradeoffs. They require documented ownership that goes beyond ticket queues and into executive accountability.
Many cities are strong at operating cybersecurity. Far fewer have a shared and consistent model for governing cyber risk.
A Practical Model: Govern, Manage, Operate
One approach municipal leaders are using to close this gap is to separate cybersecurity into three distinct responsibilities:
- Govern focuses on leadership understanding, direction and accountability.
- Manage centers on prioritization, ownership and follow-through.
- Operate includes tools, people and day-to-day security work. This model matters because it mirrors how real accountability works.
This model works because it creates clarity where most cities feel friction. It separates the questions leaders must answer from the work security teams must execute, and it connects both to a shared, defensible understanding of risk.
Govern is where accountability is established. This is where leaders define what risk the city will accept, what it will fund and what it will fix first. Most importantly, it is where a city gains the ability to explain and defend those choices to councils, insurers, auditors and the public with confidence and transparency.
Manage is where that operational activity becomes coordinated action. Strategy takes shape here. Priorities get set based on what matters most to city services, not just what looks severe on a technical report. Ownership becomes explicit. Resources stop being scattered. Work becomes planned, tracked and followed through instead of reactive.
Operate is where cybersecurity execution happens. This is where teams and MSSPs do the daily work: monitoring alerts, running scans, managing platforms and responding to incidents as they unfold. It is critical and answers the urgent questions quickly. What happened? What was affected? Is it contained?
When Govern, Manage and Operate are clearly defined and working together, cybersecurity shifts from reactive activity to strategic leadership.
Why This Matters Now
Cyber incidents rarely stay within IT. They trigger scrutiny by the city council, insurance questions, audits and public concern. Media coverage focuses less on which tool was deployed and more on whether leaders were prepared.
Insurers increasingly ask how risk decisions are made, not just what tools exist. State and federal partners expect demonstrable governance instead of informal oversight. Public trust depends on transparency.
Municipalities are now evaluated not only on whether tools were in place, but on whether leaders made informed and defensible decisions.
Cyber risk has become a leadership accountability issue, whether cities choose it or not.
The Municipal Cyber Readiness Initiative
The shift from cyber activity to leadership accountability is exactly why the National League of Cities, in partnership with CyberAlliance, launched the Municipal Cyber Readiness Initiative. It is designed to help cities and towns better understand, govern and manage cyber risk in a way that is practical, defensible and aligned with real-world municipal constraints.
This effort is not about adding complexity or replacing existing tools. It is about building clarity. Cities need a shared model that helps them translate technical signals into leadership-ready insight, align operational work to approved risk priorities, establish clear ownership and accountability and strengthen defensibility with insurers and auditors.
You’re Invited: Sally AI Masterclass
This masterclass, hosted on April 8 from 2-3 PM ET, will show how Sally AI helps government agencies and critical infrastructure operators connect findings across the defense in depth stack, prioritize remediation and communicate progress with confidence.
About the Author
CyberAlliance
Sally AI Masterclass: Fixing Cybersecurity Problems End-to-End in Government & Critical Infrastructure
National League of Cities and CyberAlliance Launch National Partnership Using Sally AI to Strengthen Municipal Cyber Resilience
HelloNation: Bring Your City’s Story to Life
- CGI Digital
NLC and BRINC Partner to Help Cities Nationwide Deploy Drones to 911 Calls
