A Shared Responsibility Model for State & Local Cybersecurity

As cyber threats intensify and federal cybersecurity resources shrink, state and local governments face a challenging equation and a fundamental mismatch: dramatically increased responsibility with proportionally decreased support. 

The Trump Administration’s March 19, 2025 Executive Order “Achieving Efficiency Through State and Local Preparedness” shifts the focus to state and local government to prepare for cyber-attacks. Amid proposed cuts to cybersecurity budgets and resources at the Federal level, the Executive Order seeks to empower state and local governments “to better understand, plan for, and ultimately address the needs of their citizens.” State and local governments should play a more active role in cybersecurity resilience and preparedness. Indeed, it was one of our goals when we launched NYC Cyber Command, a municipal cyber defense organization established by mayoral executive order in July 2017, where I held the position of Deputy CISO and Head of Threat Management. As state and local governments take on more responsibility, our experience in New York City can provide lessons and a roadmap for a partnership-based approach, as well as how to scale support outside of large metropolitan areas.

A Shared Responsibility Model

NYC Cyber Command is led by the Chief Information Security Officer of the City of New York and is tasked with protecting all of the city’s systems against cyber threats, including over 100 city government agencies and critical services. Within NYC Cyber Command, a partnership-based approach was essential to our work, as individual agencies possess irreplaceable domain expertise regarding operational workflows and system dependencies that help engineer resilience. A water utility understands its operational technology (OT) differently than a fire department grasps its emergency medical services (EMS) systems. Rather than centralizing all security decisions, our shared responsibility model preserved this critical knowledge while providing coordinated defense capabilities. The same is true for state-level intelligence sharing and federal coordination for broader impact. 

Just as cloud computing transformed IT by clearly delineating responsibilities between providers and customers, cybersecurity governance needs similar clarity between federal, state, and local entities. In cloud security, providers secure the infrastructure while customers secure their applications and data – a model that has proven both scalable and effective at clarifying accountability, even when security incidents occur.

The key principles that make a shared responsibility model successful include:

• Clear delineation of responsibilities based on capabilities and control
• Standardized frameworks and protocols that define how responsibilities are coordinated and transferred between stakeholders
• Shared accountability for overall security outcomes
• Scalable support structures that adapt to stakeholder needs

The model reflects the core concept of states’ responsibility for security of the infrastructure and local governments’ responsibility for security in the infrastructure (their operations). This approach provides economies of scale, clear accountability, and standardization.

While the concept of a Whole-of-State approach is not new, it has not been universally documented nor adopted. And while some states use the approach as part of their cybersecurity strategy, it is not yet a standardized framework with expected outcomes. However, it has proven to be effective with partial implementation by several states, as initially demonstrated by New York City.

Lessons from NYC Cyber Command

In 2017, while most cities were waiting for state or federal directives, New York City took a bold, self-determined step. As a founding member of NYC Cyber Command, I saw first-hand how we flipped the traditional top-down model on its head in favor of a shared responsibility model, recognizing that cybersecurity could not wait for mandates – it had to be architected locally, with the city’s scale and complexity in mind.

What made NYC unique was not just our ambition, but our scale. With over 100 agencies and entities serving 8.5 million residents, NYC operates with the complexity and scope typically associated with state governments. Our municipal cybersecurity challenge was essentially a state-level problem in miniature, inclusive of diverse agencies, critical infrastructure, election systems, public services, and citizen protection all under one coordinated umbrella. This scale gave us the opportunity to test shared responsibility principles that most individual cities simply don’t have the size or complexity to require.

Despite initial resistance from some agencies concerned about losing autonomy, we overcame these challenges by demonstrating immediate value through shared threat intelligence and incident response capabilities. Within the first year, we reduced average incident response times from hours to minutes while maintaining agency operational independence.

Key elements of NYC’s strategy

• Executive Order 28 established NYC Cyber Command as the centralized cybersecurity authority for over 180 agencies serving 8.5 million residents.
• No additional cost to agencies: We centralized capabilities, absorbed the complexity, and delivered uniform protections without increasing individual agency burden.
• Standardized controls: Consistent security controls across the entire municipal enterprise through research, testing, and review of all cyber related spend. 
• Centralized telemetry collection: City-wide network data to detect threats holistically and enable rapid response. 
• Incident response leadership: Coordinated response across agencies enabled by our Agency Incident Response Readiness program.
• Cloud-based defender operations: Secure environment built for defenders to collaborate without traditional on-premises limitations.
• NYC Secure App for Citizens: Free privacy-first mobile app that alerts New Yorkers to cyber threats without collecting personal data. 
• Secure Public Wi-Fi Infrastructure: World-class cybersecurity protection deployed across all NYC public Wi-Fi networks and LinkNYC kiosks. 

The results speak for themselves: we’ve protected over 8.5 million residents daily, processed 90 billion events weekly, and parsed terabytes of data daily, leading to the reduction of security incidents across municipal agencies, and created a replicable model that scales from individual citizens to critical infrastructure protection. New York State subsequently adopted a similar model, validating that our municipal approach could indeed scale to true state-level governance.

Scaling the Shared Responsibility Model and Federal Partnership

NYC’s success demonstrates the viability of localized cybersecurity governance, but it also illuminates an important principle: not every city needs a cyber command. The model should be right-sized to jurisdictional complexity. Most smaller cities and counties can achieve effective cybersecurity through regional partnerships, shared services, or state-provided capabilities rather than building standalone cyber commands.

However, large metropolitan areas, major cities, and obviously state governments face the same scale and complexity challenges that NYC addressed making the shared responsibility model a potential fit. These jurisdictions have the critical mass of agencies, infrastructure, and citizens that justify and require dedicated cybersecurity coordination. The key is matching the governance model to the operational reality.

NYC’s success shows that scalability can work, but every implementation will be different and have unique challenges. Smaller jurisdictions need different approaches than large cities, rural areas face unique threat profiles, and coordination between jurisdictions remains complex. However, these challenges point to specific areas where federal support can enable widespread adoption.

The federal government’s most valuable contribution lies in providing the foundational elements that enable local success, such as threat intelligence sharing, standardized frameworks, specialized training programs, and emergency response coordination. This mirrors how we successfully addressed agency concerns about autonomy at the local level, by proving that shared capabilities enhance rather than diminish local effectiveness. This approach preserves local autonomy while ensuring national coherence, which is the essence of effective shared responsibility.

As cyber threats continue to evolve and “cyber fatigue” sets in among policymakers, cybersecurity can no longer stand alone as a competing priority in legislative agendas. By nesting cybersecurity within broader policy domains and demonstrating clear return on investment through models like NYC’s, we can position it as a core enabler of public trust, service delivery, and resilience.

As the federal government redefines its relationship with state and local governments, NYC’s strategy offers a proven roadmap for this transition. Our success demonstrates that effective cybersecurity doesn’t require choosing between federal oversight and local control. It requires architecting a partnership that leverages the unique strengths of each level of government. The shared responsibility model can scale beyond municipal boundaries to create a national framework where federal resources enable local action rather than constrain it. This approach becomes even more critical as federal cybersecurity resources contract while threats continue to intensify. Sustainable funding is required for the functionality, trustworthiness, and longevity of our critical infrastructure and other systems we rely upon.

Quiessence Phillips was most recently SVP of Global Cyber Operations at Arete, where she led teams that helped clients manage and respond to cyber risks. She has over 18 years of progressive experience defending critical environments and reducing risk across global enterprises and public sectors. Quiessence has served as Senior Security Technical Program Manager at Amazon Web Services, Deputy CISO and Head of Threat Management at NYC Cyber Command, VP of Information Security at Barclays, and on the National Incident Response Team at the Federal Reserve Bank of New York. Her team at NYC Cyber Command received the “Security Team of the Year for Public Sector” award from FireEye. She serves as Adjunct Professor at NYU, was named “Top Women in Cybersecurity” by Cybersecurity Ventures, received the “Best of New York” award from City Tech Foundation, and has contributed to several information security publications including “Tribe of Hackers: Blue Team Edition.”