Problem or solution? Cybersecurity and cloud-based “software as a service” in local government
Updated: Mar 8
CivicPulse fielded a survey of 584 local government leaders involved in IT decision-making in July 2021 and conducted eleven in-depth follow-up interviews. Below is what we found.
1. Cybersecurity is a top priority for local governments.
High-profile ransomware attacks in larger city governments like Atlanta and Baltimore have elevated the issue of cybersecurity in local government decision-making. Smaller local governments—often with particularly outdated IT systems—are also vulnerable to cyber attacks.
Accordingly, our survey shows that cybersecurity has become a mainstream concern for local governments of all sizes. When presented a list of possible priorities related to IT, more local government officials cited cybersecurity than any other item (Fig. 1).
Figure 1: Which of the following IT initiatives are strategic priorities for your local government?
Other top priorities included improving citizen experience, data governance, and workflow automation, and disaster recovery. Taken together, these priorities reflect growing willingness of local governments to invest resources in updating their IT systems.
Fittingly, the supply of companies offering products and services to local governments to improve their IT systems has exploded. In particular, both established and new software companies are eager to persuade local governments to join the trend toward “Software as a Service” (SaaS), which they argue will help local officials not only improve citizen experience and employee efficiency, but also data security.
2. The rise of "Software as a Service” (SaaS) has accelerated local government’s transition to the cloud.
Local governments are increasingly turning to third-party vendors to upgrade their IT systems for operations and service provision. In the realm of software, this growing engagement with the private sector has corresponded with the rapid rise of the “Software as a Service” (SaaS) model in local government, wherein companies offer subscriptions to services which are centrally managed offsite—and typically over the cloud.
Our survey indicates that most of the larger city and county governments have adopted at least one new cloud-based SaaS in the last three years, and even 46% of the smallest local governments did so (Figure 2).
Figure 2: Adopted a cloud-based SaaS in the last three years (by population size).
Cloud-based SaaS is an attractive choice for local governments interested in modernizing their operations. As one local official put it, “Some of [our] hardware appliances are really outdated so it just makes sense to move it to the cloud.”
SaaS also provides added protection against data loss and interruptions in service during outages. For this reason, officials located in areas prone to natural disasters consider cloud-based SaaS to be more secure than hosting software on-premise. “[W]e live in a hurricane area,” said one respondent, “so if a disaster happens we would be in a big bind.”
But even local governments who are less eager to join the trend toward cloud may soon not have much choice. In follow-up interviews CivicPulse conducted, we learned that local government officials with existing “on-premise” software service contracts are being told by their vendors were that vendors may soon require all contracts to be moved to the cloud.
From the standpoint of the vendors, encouraging—or even mandating—the transition to the cloud has obvious advantages, as they can economize on the scaling of offsite central management.
3. SaaS appears to be a double-edged sword for cybersecurity.
This trend toward SaaS poses a double-edged sword for cybersecurity. On the one hand, software companies which provide services to governments take pains to ensure their data are secure. And the centralization of data management would likely to reduce vulnerabilities to onsite ransomware attacks.
On the other hand, putting one’s data on the cloud—no matter the promises made by the company on the other end about security—would seem to inevitably create a new cyber vulnerability.
In our interviews with local officials, this concern was borne out. For example, a few interviewees mentioned the 2020 ransomware attack on a popular SaaS provider, Tyler Technologies, as a factor in their local governments’ decision to put off SaaS adoption. In these cases, security was the justification for continuing to run operations on-premise. As one respondent put it: “our IT Director preferred the security of it all being on our systems where he had control over everything, security wise.”
Our research shows that local government officials certainly recognize the benefits of moving toward cloud-based SaaS. However, the much-needed collective awakening to the threats of cybersecurity is leaving some local officials with a preference to keep their software in-house for the time being.