Cybersecurity considerations 2025: Government and public sector

For Chief Information Security Officers (CISOs) in government and public sector (Gov/PS), the challenges of securing sensitive data and critical systems have never been greater. The unique nature and volume of data these organizations handle leave them particularly vulnerable. The potential impact of a breach extends far beyond financial losses. In many cases, the well-being of citizens, public safety, and even national security are at stake.

CISOs in government and public sector organizations face a complex web of challenges. Over the last five years, rapidly changing geopolitical developments and increasing tensions have resulted in an increase in cyberattacks on critical infrastructure. The sector is now focusing on improving resilience and reducing the associated risks with legacy IT infrastructures opening the door to an array of vulnerabilities for adversaries to exploit. Despite efforts to modernize and secure these systems, the sheer complexity and scale of the task remains overwhelming. In fact, according to ��㣨Leyu�� research, a lack of understanding of, or trust in, new cyber technologies has made 65 percent of government and public sector organizations less confident about investing in these tools.¹

In addition to the perpetual balancing act of addressing legacy systems, CISOs in this sector must also keep up with the rapid pace of emerging technologies, such as artificial intelligence (AI), blockchain, and quantum computing. The reality that CISOs are already dealing with budget constraints and resource limitations, making it even more challenging to attract and retain skilled cybersecurity professionals presents a perfect storm of cyber challenges for organizations to navigate.

The regulatory landscape is also becoming increasingly complex. In Europe, for example, upcoming cybersecurity regulations, such as Digital Operational Resilience Act (DORA), the NIS2 Directive, and the Cyber Resilience Act, will affect thousands of companies and government organizations in the coming months and years. This regulatory fatigue can be overwhelming. Amid these challenges, CISOs must find ways to bolster resilience and prepare for inevitable cyber incidents. This requires a shift in mindset from a purely preventative approach to one that also factors in detection, response, and recovery.

This report explores challenges, opportunities, and action points for security leaders across this broad sector. By understanding the unique risks and requirements, and by taking a proactive approach to cybersecurity, CISOs can help protect the critical assets and data that underpin public institutions.

Key cybersecurity considerations for CISOs

Resilience by design: Cybersecurity for businesses and society
Embed trust as AI proliferates
The digital identity imperative

Resilience by design �� Cybersecurity for businesses and society

The critical infrastructure that powers our society, from energy grids and transportation systems to water treatment plants and healthcare facilities, is increasingly vulnerable to sophisticated cyberattacks. Given the growing frequency and complexity of these threats, CISOs must shift their focus from solely preventing incidents to building resilience—the ability to respond, recover, and adapt quickly with limited impact. It is not only about technological solutions but also about people, processes, and governance frameworks.

CISOs need to be able to locate and identify their assets to secure them effectively. This includes not only data center assets but also critical systems and endpoints outside of traditional IT, like those in factories, transportation networks, and energy grids—considered operational technology (OT).

With organizations relying more and more on third-party providers for software and services, and attackers targeting suppliers directly, the risk of weak links in the supply chain is increasing. This growing ecosystem also expands the attack surface, affording threat actors additional entry points with each new external relationship.

Robust incident response plans, regular testing and drills, and cross-functional collaboration can minimize the impact of inevitable breaches and ensure the continuity of critical services. By cultivating a culture of resilience throughout their organizations, CISOs can empower employees to become active participants in the defense against cyber threats.��

Key challenges

Resource and skills gaps��

Many critical infrastructure operators, especially smaller municipalities, lack the expertise or funding to implement comprehensive resilience strategies.

Regulatory compliance pressure��

Increasing regulatory scrutiny, such as NIS2 and the Regulatory Framework for Critical Entities (RCE) in the EU and similar standards elsewhere, requires organizations to demonstrate their resilience capabilities, adding complexity to operational and compliance requirements.

Sophistication of threats��

Attackers are employing more advanced tactics, such as ransomware, Distributed Denial of Service (DDoS) and supply chain attacks, that target vulnerabilities unique to industrial systems.

Key opportunities

Real-time incident response ��Advanced monitoring systems using AI and machine learning (ML) can identify anomalies in real time, enabling faster incident response.

Regulatory alignment –��While challenging, regulatory mandates can drive investment in cyber security and resilience practices. This can contribute to innovation and raising industry standards.

While Gov/PS organizations are aware of the risks inherent in critical infrastructure attacks, many are not well prepared. Outdated legacy systems and insufficient funding for modernization efforts have hindered the ability of many CISOs to implement comprehensive resilience programs. To bridge this gap between recognition and effective mitigation, organizations need to prioritize investments in cybersecurity, work closely with industry partners, and adopt a proactive approach to resilience planning. These efforts are critical to maintaining essential services and safeguarding the well-being of the communities they serve

Embed trust as AI proliferates

The rapid proliferation of AI across critical Gov/PS areas has unlocked unprecedented opportunities for innovation and efficiency. However, as organizations eagerly embrace AI, they also must confront growing trust concerns, particularly when it comes to security and privacy. The massive volume of sensitive data that fuels AI systems is an attractive target for malicious actors, increasing the likelihood of data breaches and privacy violations. The complex and often opaque nature of AI algorithms can also lead to unintended biases and inaccurate predictions. This can erode public trust and cause reputational harm.

CISOs need to think beyond traditional reactive measures and focus on embedding trust throughout the entire AI lifecycle. They must work closely with governance colleagues to address the challenges of data quality and classification, and ensure the information used to train AI models is accurate, unbiased, and properly secured.

It is similarly important to collaborate with IT and business stakeholders to develop robust security frameworks that keep pace with the threat landscape, closing the gap between innovation and protection. On an encouraging note, ��㣨Leyu�� research has found that in 76 percent of government and public sector organizations, cybersecurity is typically involved from the earliest planning stages of decision-making process for technology investment and has a significant influence.²

Key challenges

Vulnerability in AI models��

Simply stated, AI models are vulnerable to adversarial attacks. Malicious inputs can deceive systems, leading to inaccurate decisions that can jeopardize safety and trust. Additional threats, such as model poisoning and data leakage, can further compromise reliability and confidentiality.

Continuous monitoring and risk��

Maintaining trust requires real-time monitoring to detect anomalies and evolving threats, as well as adaptive risk assessments to address vulnerabilities like model drift and cyber-physical risks and attacks. Organizations are encouraged to develop and implement scalable, proactive frameworks to safeguard AI systems and ensure resilience.

Key opportunities

Embedding security throughout the AI lifecycle �� By integrating security measures into the AI development lifecycle, organizations can be better prepared to identify and mitigate vulnerabilities prior to deployment. This proactive approach can help avoid the costly retrofitting of security measures and reduce the likelihood of broad, disruptive cyberattacks.

Addressing the monitoring challenge �� By deploying advanced anomaly detection algorithms and optimizing logging and auditing frameworks, organizations can significantly enhance their capability to detect and respond to potential security threats in real-time.

Despite the appreciation of AI's potential and importance within Gov/PS, preparedness levels remain relatively low. Slow adoption, limited funding, and a shortage of specialized personnel continue to be impediments. The lack of expertise in critical areas like AI security and risk management leaves organizations vulnerable to risks such as system design vulnerabilities and insufficient data protection. To overcome these obstacles, CISOs at Gov/PS organizations must prioritize proactive planning, allocate adequate resources, and invest in upskilling their staff.

The digital identity imperative

As organizations embrace digitization to enhance service delivery and improve efficiency, the need for secure and reliable digital identity systems has become paramount. Digital identities serve as the foundation for secure access to a wide range of critical services, from banking and healthcare to government functions. By enabling individuals to verify their identity online, these systems facilitate seamless and secure interactions.

However, the rise of sophisticated threats such as deepfakes, identity theft, and digital fraud has exposed the limitations of traditional authentication methods. Organizations are increasingly concerned about the rise of machine identities, especially privileged non-human service accounts that have access to sensitive data for specific applications. As the Internet of Things becomes more prevalent, managing machine identities is also becoming a major challenge.

For CISOs in the Gov/PS sector, the stakes are particularly high. Digital identity systems play a vital role in safeguarding individual privacy, preventing fraud, and ensuring the integrity of sensitive data. A breach or failure of these systems can have far-reaching consequences, eroding public trust, disrupting essential services, and even compromising national security. As such, CISOs must prioritize the development and implementation of secure, transparent, and compliant digital identity frameworks. They must work closely with their teams to embed security and privacy considerations throughout the digital identity lifecycle.��

Key challenges

Upholding public trust and data privacy��

Individuals are more aware than ever of how their personal information is used and protected, especially when it comes to biometric data. There are concerns regarding how data is stored, processed, and shared. Privacy and data sovereignty remain top-of-mind issues.

Biometric data and authentication security��

With advanced attacks being increasingly automated and scaled through AI, attackers�� efficiency has risen significantly. For example, multiple deepfakes can be generated simultaneously, and AI systems can continuously learn from the behavior of defenders to refine their strategies. This advancement makes it easier to circumvent traditional authentication methods, such as facial recognition or fingerprint scans, and amplifies the security vulnerabilities within these systems.

Key opportunities

Public-private collaboration �� Acknowledging governments, technology companies, and other related organizations all play critical roles in shaping digital identity frameworks, cyber security teams can act as collaboration facilitators in the development of secure and interoperable systems. By driving cross-sector discussion and partnerships, cyber security professionals can help bridge gaps in standardization, regulatory compliance, and best practices.

Regulatory alignment �� While navigating regulatory challenges is complex, alignment with regulations like General Data Protection Regulation (GDPR), DORA, NIS2 or eIDAS provides an opportunity for cyber security teams to establish best practices in compliance and strengthen trust in digital identity systems.

Most Gov/PS organizations have low levels of preparedness relative to other sectors when it comes to securing digital identities. Often, this is attributable to insufficient investment and a lack of effective public-private collaboration. The complexity of challenges such as trust, privacy concerns, and user experience is often underestimated. In federated government systems, alignment and cooperation across levels adds to the complexity. To overcome these obstacles and achieve a cohesive approach to digital identity, organizations must prioritize investment and collaboration.

Real-world cybersecurity in Gov/PS

As governments roll out large-scale digital initiatives that benefit citizens, balancing cybersecurity concerns with convenience remains top of mind.

A case in point is the national biometric-based digital processing system that revolutionizes the airport experience for travelers in India. The app uses the individual’s face as a single identity token, linking identity, travel documents, and travel information.��Since its implementation in late 2022, this program has achieved remarkable adoptions rates, with close to 10 million users and tens of thousands of new downloads daily. The system is operating across more than 20 airports in India.

The implementation of this technology has yielded several key benefits, including improved passenger experience, enhanced efficiency, and increased security. The paperless system limits data sharing��and ensures that passengers' personally identifiable information (PII) is securely stored in the traveler's mobile wallet. As adoption continues to grow, it serves as a prime example of how biometric technologies can be leveraged to enhance security and convenience in the public sector.

��㣨Leyu�� provides support in implementing public projects that bring together commercial and government cybersecurity industry context and experience. The support spans various areas, including strategy and governance, identity and access management, security architecture, and continuous diagnostics and mitigation.
With the right approach, government initiatives can uphold the highest standards of data privacy and security while delivering services that are accessible, efficient, and user-friendly.

Top priorities for government and public security professionals

Prioritize the fundamentals of cybersecurity, focusing on basic cyber hygiene rather than solely investing in the latest, "shiny" technologies.

Maintain and document a comprehensive inventory of all systems, processes and assets �� including the organization’s “crown jewels�� ensuring they are regularly patched and updated to help minimize vulnerabilities.

Develop and implement a robust cybersecurity awareness training program for all employees, cultivating a strong culture of security within the organization.

In today’s dynamic environment, perform continuous monitoring of the threat/risk landscape and adapt accordingly as conditions and developments warrant.

How ��㣨Leyu�� professionals can help

��㣨Leyu�� professionals can assess your cybersecurity program to help ensure it aligns with business priorities. We work with government and public sector cyber leaders in developing digital solutions, advising on the implementation and monitoring of risks, and designing responses to cyber incidents.

We use advanced methodologies to address cybersecurity needs and develop custom strategies. The range of digital solutions includes cyber cloud assessments, privacy automation, third-party security optimization, AI security, and managed detection and response.

¹��㣨Leyu��, Global Technology Report, 2024.

²��㣨Leyu��, Global Technology Report, 2024.