Skip to content
Iron Bow GuardSight Services-Based Approach
Francesca El Attrash-UkaejiofoAugust 30 20234 min read

Why Whole-of-State Cyber Resilience Requires a Service-Based Approach

Organizations across the public and private sectors on any digital transformation journey need to balance innovation, risk, opportunities, and desired outcomes. In our next installment of this series on the resilience journey, we’ll discuss why whole-of-state cyber resilience tactics require service-based approaches. This can not only help dramatically improve cyber posture but also overall business continuity and service delivery to constituents.  

Resilience in the public sector involves focusing on a holistic, outcomes-based approach to overall operational resilience. This approach includes an organization’s people, processes, and partners. Consequently, cyber resilience will serve as a critical foundational layer to any organization’s mission and overall strategy. 

In a webinar with Government Technology, cybersecurity experts from Iron Bow and GuardSight discussed how governments can build resilience through whole-of-state cyber tactics and what this method looks like in practice. Speakers included Kevin Finch, Senior Director of the Global Security Practice at Iron Bow, Nelson Moe, sales Strategy Principal for SLED at Iron Bow, and former CIO of the Commonwealth of Virginia, and John McGloughlin, Founder of GuardSight, Inc., an Iron Bow company that specializes in cybersecurity-as-a-service. 

Pairing Whole-of-State Tactics with Resilience 

Likening Resilience to Martial Arts 

What does whole-of-state resilience look like when put into practice? Overall, it can be likened to martial arts: the ability to survive even in the face of an attack and prepare for the next. Agencies must adequately prepare for the worst from cyber adversaries and know how they’re going to keep services online regardless of an attack. 

“When I think about resilience, I think about adequate posture,” said McGloughlin. “It’s the ability to terminate threat actors when they hit, your environment, and the speed at which you can do that. It’s also identifying your critical assets and how you monitor and protect those effectively. Likening it to martial arts, you need to be able to survive. Determine what it takes for survival and then you go on the attack.” 

The Pillars of Resilience  

According to Finch, agencies should understand the following resilience pillars and their operational impact by having in place: 

  • Disaster Recovery Plan 
  • Business Continuity Plan 
  • Crisis Management Plan 
  • Cyber Resilience Plan 
  • Supply Chain Security 
  • Physical Security Plan 

“The first thing is to think about a broad cybersecurity plan,” said Finch. “From the engineering perspective, there are multiple aspects to resilience including disaster recovery, business continuity, crisis management, and so on. Cyber is pervasive across all those fields. Whole of state comes in by offering a common security baseline among these different entities. With this baseline, you have to evolve it into a life cycle approach where it’s happening continuously, like patching and penetration testing.” 

You Can’t Go It Alone 

Resilience and whole-of-state pair well together also because of their emphasis on partnership and comprehensive approaches. “Whole-of-state resilience enables state agencies to scale visibility and protect their assets,” Moe said. “Whole-of-state also emphasizes partnerships at different levels along with private and public sector partnerships to mitigate security threats.” 

Ultimately, the end goal of the resilience journey is an organization being able to recover its services rapidly and seamlessly after an event. “That’s why whole-of-state is so popular,” said Moe. “It addresses multiple needs across the spectrum. These needs include increasing demand for digital government services, limited funding in cyber, workforce retention challenges, etc. 

A successful resilience journey means you have reporting and compliance in place and a deep understanding of processes and people it takes to recover.  It also takes a deep commitment from suppliers and third-party vendors who are ready to help in your time of need. You can’t go it alone.” 

Moving Towards a Services-Based Approach 

By starting with services, agencies can better ensure secure and reliable services using an outcome-based cyber resilience mindset. This approach includes the following benefits, according to Moe:  

  • Breaking down the silos between security, technology, and business sectors 
  • Addressing and aligning various sector incentives to achieve mission and business outcomes 
  • Optimizing technology and security investments for the biggest bang for buck 

The current public demand for new services means agencies must move away from a traditional gap analysis by starting with the outcomes. “From an outcome perspective, leadership at the top is usually focused on education outcomes, hiring outcomes, tax outcomes, “said Moe. “Start with the end in mind. Don’t just worry about individual technology investments but worry also about your people and supply chain too.” Drive to eliminate any single points of failure. 

How can agencies start making the move towards a more services-based approach? 

  • Start with the desired organizational outcomes. 
  • Identify where partnering with a service provider can help you realize immediate benefits, I.e., cost effectively augmenting internal staff skills and filling technology gaps or accelerating digital transformation. 
  • Determine if it’s a comfortable investment (8-10% return) compared to what you stand to lose. This makes it easier to gain approval of funding. 
  • Think about “Plan B” contingencies and have an exit strategy. 

Stay tuned for our last part of this blog series where we’ll tie it up with best practices to get started on implementing whole-of-state cyber resilience.  

Ready to take the next step on your cyber resilience journey? Reach out to our team of cyber experts at 



Francesca El Attrash-Ukaejiofo

Francesca El Attrash-Ukaejiofo is an accomplished professional in marketing and corporate communications, specializing in communications, content development, and strategy, while also overseeing brand and design. With a strong foundation in SEO-led content creation and a passion for storytelling, Francesca brings a wealth of experience across various domains, having written for marketing agencies, government, B2B, and B2G organizations. Francesca excels in strategic thought leadership, crafting compelling short-form and long-form copy, including executive bylines, blogs, white papers, eBooks, ad copy, web, and video content. Her expertise spans diverse topics such as tech policy, marketing, cybersecurity, government, health IT, defense, and foreign policy. Notably, Francesca's ghostwritten work has earned placement in respected publications like the Hill, FedTech, DefenseNews, and NextGov. Holding a Master’s in Public Policy and fluent in four languages, Francesca leverages these skills to excel in storytelling, connecting with audiences, and fostering professional networks for the organizations she serves. Recognized for strengths in empathy and positivity, Francesca brings infectious enthusiasm to teams, contributing to a collaborative and talent-cultivating work environment.