2025 Cybersecurity Policy Advisors Network Institute

The 2025 Cybersecurity Policy Advisors Network Institute was held on November 6-7 at the Microsoft Innovation and Policy Center in Washington, DC. Hosted by the National Governors Association (NGA), the event convened the Governor's Cybersecurity Policy Advisors Network and other state and territory cybersecurity officials, along with federal officials and NGA corporate partners, to share best practices and discuss cybersecurity challenges and strategies across a range of topics.

The Governor's Cybersecurity Policy Advisors Network serves as a forum for Governors' advisors, state chief information security officers or others identified by their Governors' offices to share ideas, best practices and lessons learned with colleagues from other states, connect advisors with valuable resources and materials, and provide opportunities to hear from subject-matter experts via periodic calls, webinars and workshops.

Around 100 participants, including representatives from at least 20 states and territories, attended this event. The meeting focused on strengthening connections within the Cybersecurity Policy Advisors Network while fostering collaboration across states and with federal partners and private industry. Participants worked to build knowledge and expertise to address current and emerging cybersecurity challenges, shared lessons learned and explored opportunities for greater cooperation and collaboration.

The meeting kicked off with a fireside chat with Former Governors Rick Snyder and Terry McAuliffe who offered their thoughts on how Governors and their advisors can create and foster a culture of cybersecurity at all levels to achieve cybersecurity goals and help attract economic investment in states. Below are some of the key topics and takeaways from the meeting.

• Building and sustaining trusted partnerships with critical infrastructure, including local governments, is important to building cyber resiliency. States and territories have a number of different approaches to this, which may include, establishing a working group, engaging in bilateral information sharing, conducting vulnerability assessments, facilitating exercises, and providing training and other resources.
• With changes in the federal cybersecurity footprint, states and territories are working to stretch existing funding and find efficiencies to get the most out of cybersecurity resources. Some methods states and territories are pursuing include maximizing efficient use of tools and reducing duplicative services, tapping into lower cost resources, creating a culture that prioritizes cybersecurity to serve as a force multiplier, and working with their Governor and state legislature on an ongoing basis to effectively allocate funding for vital cybersecurity programs.
• Having a strong cybersecurity workforce is vital to protecting key assets today and in the future. States and territories are taking a number of approaches to train future cybersecurity professionals, including partnering with universities and community colleges to provide increased hands-on training and internship opportunities as well as shifting toward skills-based hiring and work-based learning.
• Part of building cyber resiliency is building capacity to respond and recover quickly from a cyber incident to reduce downtime of vital services. In addition to maintaining cybersecurity best practices such as routine data back-ups and access control, many states are also building resiliency through increasing the number of responders by collaborating with partners such as the National Guard, cyber volunteers/cyber civilian corps, and leveraging existing partnerships with the private sector, including cyber insurers.
• Artificial intelligence has a number of positive uses within cybersecurity, but it can also be used by adversaries to perpetrate and scale up cyberattacks. Participants shared some of the ways AI is being integrated into cybersecurity workflows within states, policy and training considerations as well as how they are approaching emerging threats.

Participants also got to engage with federal partners from the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation about information sharing, state-federal coordination, the nation-state threat environment and the status of federal cybersecurity initiatives. Congressional staff offered their perspectives on the status of key cybersecurity legislation and how state and territorial officials can help elevate cyber priorities by providing their congressional representatives with concrete examples of what is happening at the state/territorial level.