How to Prioritize Cyber Modernization When You Can’t Fund Everything

Key Takeaways:

• State and local governments facing cyber budget constraints can improve resilience by prioritizing must-not-fail services and aligning cybersecurity spending to measurable risk reduction.

• A practical framework combining service continuity, risk-based scoring, and high-leverage controls helps translate cybersecurity decisions into defensible financial governance.

• Modernization becomes more effective under constraint when organizations focus on identity, recovery, legacy reduction, and clear governance metrics tied to operational impact and the business value it derives.

—

For state and local government leaders, cybersecurity budget cuts and rising threat complexity are changing the modernization conversation. The question is no longer “What tools do we want?” It has shifted to “What risks can we reduce measurably with the dollars we have?”

For CFOs, budget officers, and IT directors, this moment requires a shift from broad wish lists to decision-making that is defensible, repeatable, and aligned to financial stewardship — all while keeping constituency at the forefront.

This article outlines a seven-step, finance-ready framework to help leaders protect must-not-fail services, reduce measurable risk, and modernize cybersecurity in an era of tightening budgets.

Why This Moment Is Different

Budget constraints are not new. What is changing is the combination of shifts leaders are asked to manage simultaneously (as reported in the 2026 NASCIO-Deloitte Cybersecurity Study):

• Confidence in the ability to protect systems has fallen materially as threats evolve faster than defenses.

• Under-protection across local governments and public higher education is driving greater interest in whole-of-state protection models.

• GenAI is expanding the cybersecurity scope for many organizations, often without corresponding increases in resources.

• Cybersecurity budgets are tightening at a time when disruption costs and public expectations continue to rise.

Under these conditions, distributing cybersecurity dollars evenly across all systems tends to produce modest gains and can leave high-impact weaknesses unaddressed. A more effective approach is to protect what must not fail, reduce avoidable exposure created by legacy platforms, and invest in resilience and recovery.

7 Steps to Modernize Cybersecurity With Limited Resources

A constrained budget does not eliminate the need to modernize. It changes how decisions are made. The following steps provide a practical framework to help you focus spending:

Step 1: Start With Service Continuity, Not Technology

Modernization decisions land better with finance leadership when they are tied to the continuity of essential services, not a list of tools.

Start by identifying your “must-not-fail” services such as:

• Emergency communications and public safety operations

• Water and wastewater operations and systems supporting operational technology

• Payroll, finance, treasury, and revenue collection

• Permitting, licensing, and citizen-facing services

• Core identity, email, collaboration, and directory services

Then map the minimum dependencies for each service:

• Identity and access pathways, including privileged access

• Network connectivity and remote administration methods

• Backup and restoration capability, including immutability or offline options

• Third-party providers, managed services, and critical software vendors

• Logging and monitoring for key systems and administrative actions

This helps avoid modernization from becoming a “technology selection” exercise and anchors prioritization to disruption risk and financial impact.

Step 2: Convert Cybersecurity Into “Risk Math” That Fits Your Budget Process

When budgets are constrained, your organization needs a consistent method to rank modernization options. The objective is to create repeatable decision-making that can be explained to executive leadership, governing bodies, auditors, and the public.

For many organizations, cybersecurity risk feels abstract and overwhelming. So the simplest place to begin is by asking four questions: What matters most? What could go wrong? How likely it is? How severe would the impact be?

This straightforward approach mirrors the foundational principles of mature frameworks like Factor Analysis of Information Risk (FAIR), allowing organizations to build shared understanding today while creating a natural bridge to more advanced, quantitative risk models in the future.

These questions also translate into a practical risk framework you can use to compare and prioritize cybersecurity investments consistently across systems and departments:

Impact: What Happens If This Fails?

Express impact in terms finance leaders routinely manage:

• Service downtime and the duration of disruption

• Direct costs (incident response, emergency procurement, overtime, legal support)

• Revenue interruption (billing, collections, licensing, fines, grants)

• Public safety and critical service implications

• Audit, regulatory, and reporting implications

Likelihood: How Exposed Is the Environment?

Estimate exposure using observable conditions:

• Internet-facing assets and remote access paths

• Patch lag and vulnerability backlog

• Unsupported platforms and end-of-life systems

• Weak identity controls and privileged access sprawl

• Vendor access and third-party connectivity

Control Gap: How Far Are You From a Defensible Baseline?

Assess maturity against a minimum baseline you can execute:

• Multi-factor authentication for high-risk access and privileged users

• Asset visibility and vulnerability management routines

• Backup protection and restoration testing for critical services

• Segmentation or containment for high-value environments

• Logging focused on identity, privileged actions, and critical systems

• Documented incident response roles and tabletop exercises

Cost-to-Reduce-Risk: How Much Does This Improve Outcomes Per Dollar?

Require each investment request to answer:

• Which must-not-fail services does this protect?

• Does it reduce likelihood, impact, or both?

• What measurable indicator improves (coverage, compliance, recoverability, containment)?

• What is the 12–24 month operating cost, not just the initial purchase?

Prioritize proposals based on measurable risk reduction per dollar and align cyber funding decisions to normal financial governance.

Step 3: Sequence “High-Leverage” Controls That Reduce Likelihood and Limit Impact

In constrained environments, foundational controls often deliver the highest return. A practical sequencing approach prioritizes controls that reduce compromise probability and shorten downtime when incidents occur. Here’s an illustrative example:

Priority A: Identity and Privileged Access

Because credential-based access is a common path into environments, strengthening identity and privileged access is often among the highest-leverage ways to reduce compromise risk — particularly in mixed legacy environments. Practical actions include:

• Expand multi-factor authentication for remote access and privileged accounts

• Reduce shared accounts and tighten administrative privilege assignment

• Implement basic privileged access workflows for sensitive activities

• Improve account lifecycle hygiene for vendors and contractors

Priority B: Backup Integrity and Restoration

In ransomware events, operational disruption is frequently driven by recovery readiness — particularly whether backups are isolated and restores are tested under realistic conditions. Focus on:

• Immutable or offline backups for must-not-fail services

• Scheduled restore tests with documented outcomes and recovery time expectations

• Separation of backup credentials from general administrative credentials

• Configuration backups for network and critical infrastructure components

Priority C: Vulnerability and Patch Governance

Legacy environments can often be stabilized before full replacement, but only with disciplined governance:

• Establish a patch cadence and define exception approvals

• Prioritize critical vulnerabilities on crown-jewel systems and external-facing assets

• Track patch performance as a governance metric, not an IT preference

Priority D: Segmentation and Containment

When you cannot rebuild everything, aim for containment:

• Segment critical environments first (finance, public safety, sensitive case management, operational technology support)

• Reduce unnecessary lateral connectivity

• Harden remote administration pathways

Priority E: Minimum Viable Logging for Response Readiness

A targeted logging strategy — focused on identity platforms, privileged actions, and high-value systems — can improve detection and investigation without the overhead of collecting every possible log source. Define:

• Which log sources are required for critical systems and administrative activity

• Retention expectations aligned to investigation and audit needs

• Who reviews alerts and what actions are taken, by severity

Step 4: Treat Legacy Infrastructure as a Financial Liability With a Managed Retirement Plan

Unsupported or hard-to-patch legacy platforms often increase operational burden and constrain monitoring and segmentation options — which can elevate risk and extend recovery timelines. Address legacy risk with a structured, budgetable approach rather than binary decisions.

A three-lane model is practical for state and local government organizations:

Lane 1: Replace (Strategic Modernization)

Use replacement for systems supporting must-not-fail services where compensating controls are insufficient and the risk is unacceptable.

Lane 2: Stabilize (Compensating Controls and Containment)

For systems you must retain in the near term:

• Segment and restrict access pathways

• Use jump boxes or restricted admin methods where feasible

• Apply vendor access controls and monitoring expectations

• Increase backup frequency and validate restoration readiness

• Document exceptions and risk acceptance decisions

Lane 3: Retire (Reduce Attack Surface)

Decommission or consolidate applications when possible. Retirement is often among the fastest ways to reduce risk per dollar and free operational capacity.

This approach supports multi-year modernization planning with measurable milestones and clearly articulated risk reduction.

Step 5: Build Modernization Scenarios That Match Fiscal Reality

Cybersecurity proposals are often presented as a single “required” budget. A better approach is to provide three scenarios with explicit outcomes and residual risk.

• Base scenario (defensible minimum): Focuses on identity, recovery readiness, vulnerability governance, and minimum logging for critical services.

• Target scenario (risk-managed): Adds stronger segmentation, improved monitoring coverage, and formalized vendor governance for critical providers.

• Resilience scenario (optimized): Expands automation and operational readiness, supports broader shared services approaches, and reduces reliance on fragile legacy environments.

Each scenario should include:

• A one-page outcome summary

• The must-not-fail services protected

• Metrics expected to improve over 6–12 months

• Total cost of ownership estimates and staffing implications

• The risks that remain if the scenario is not funded

This structure makes cybersecurity fundable through normal budget processes and supports explicit risk posture decisions by leadership.

Step 6: Include Third-Party Risk and GenAI Governance in Your Roadmap

Third-party risk is increasingly a top-tier concern, particularly in environments with extensive software as a service (SaaS) usage, managed service providers, and specialized civic technology vendors. Because vendors may host sensitive data, integrate via application program interfaces (APIs), or maintain administrative access, third-party governance increasingly functions as part of your security boundary.

High-value steps that do not require large spend include:

• Tier vendors by data sensitivity and operational criticality

• Standardize contract requirements for high-tier vendors (notification timelines, subcontractor disclosure, minimum security expectations)

• Establish access review and offboarding procedures

• Build a monitoring cadence for critical providers

Generative AI (GenAI) governance should also be addressed early, even with limited resources. Unclear data-handling rules — including GenAI usage — can increase the likelihood of inappropriate data exposure and complicate incident response, contracting, and notification decisions. Practical starting points include:

• An approved tools and accounts list

• Prohibited data types and redaction expectations

• Human review requirements for high-impact use cases

• Vendor disclosure requirements for AI usage and training data practices

Step 7: Use a Short Cyber Dashboard That Finance and Governance Can Manage

Progress must be visible to sustain disciplined investment. A short dashboard supports executive oversight without requiring technical interpretation.

Recommended measures include:

• Multifactor authentication coverage (workforce and privileged accounts)

• Backup restore test success rate for must-not-fail services

• Patch compliance against defined service-level agreements (SLAs) for critical vulnerabilities

• Number of high-risk legacy exceptions with documented compensating controls

• Status of critical vendor compliance (tier-1 vendors)

• Mean time to detect and mean time to contain, tracked consistently even if estimated initially

This dashboard supports governance, informs budget tradeoffs, and provides defensible documentation for audits and oversight.

How MGO Can Support Modernization Decisions Under Constraint

When budgets are tight, many state and local government organizations benefit from independent support to quantify risk, prioritize investments, and document governance decisions.

MGO commonly supports:

• Risk-based modernization roadmaps aligned to budget cycles and financial planning

• Audit readiness and response where cybersecurity intersects internal controls and compliance expectations

• Vendor risk program design, contract control requirements, and defensible documentation

• Operational assessments and process redesign across people, process, and technology

• Grant and contract management support for modernization funding, including compliance and lifecycle oversight

Reach out to MGO’s State and Local Government Team today to discuss how you can prioritize modernization investments, strengthen resilience, and align cybersecurity decisions to fiscal realities.