Presented by Gartner
As artificial intelligence accelerates both innovation and risk, public sector cybersecurity leaders are being forced to rethink long-standing assumptions about trust, resilience, governance, and operational readiness. The expanding attack surface is no longer defined only by networks, devices, users, or applications. It now includes AI-enabled adversaries, complex supply chains, quantum-era disruption, and a policy environment that is changing almost as quickly as the threats themselves.
In this Fed Gov Today program, presented by Gartner and recorded at the Gartner Security & Risk Management Summit in National Harbor, Maryland, George Jackson speaks with Darin Brumby, Group Vice President, Americas Service Delivery at Gartner; John Wood, Chief Information Officer for Strategic Systems Programs at the U.S. Navy; and Gavin Green, Chief Information Security Officer for the Florida Office of the State Courts Administrator. Together, they examine how government leaders can operationalize trust, strengthen cyber resilience, prepare for emerging technology disruption, and build security programs that support mission outcomes rather than slow them down.
Brumby explains that Gartner’s work with senior government and C-level executives focuses on helping leaders solve mission-critical priorities in ways that deliver measurable value. In today’s environment, those priorities increasingly sit at the intersection of cybersecurity, supply chain risk management, budget optimization, and artificial intelligence. Attackers are already using AI with malicious intent, which means government security teams must become more proactive, more strategic, and better equipped to answer not only today’s questions, but tomorrow’s as well.
That shift is forcing agencies to elevate governance, risk management, and cost optimization. Brumby argues that good governance is good business, especially as AI changes how quickly technology risk can become mission risk, reputational risk, or public trust risk. In the past, an IT project risk might have been contained within a technical environment. Now, the speed of AI can move that risk across an enterprise in seconds.
Budget optimization is also becoming more than a cost-cutting exercise. Brumby frames it as a way to fund innovation. Agencies must use resources wisely, but they also need room to invest in AI-driven opportunities that could improve health and human services, citizen safety, national defense, and other mission areas. That balance between discipline and innovation is becoming one of the defining leadership challenges in government technology.
Brumby also points to geopolitical uncertainty as part of the new normal. External pressures, internal constraints, emerging threat actors, and rapid technology change are converging at once. His message is direct: agencies cannot go it alone. Leaders need trusted partners, tested strategies, and rigorous planning to ensure that their cybersecurity posture can withstand the environment they are operating in.
One of the bright spots, Brumby says, is the rapid pace of AI adoption across government. In some cases, he sees government AI maturity advancing faster than in the private sector because the mission is clear and the urgency is real. He also pushes back on the idea that innovation only comes from industry. Government has strengths the private sector can learn from, including strong governance, disciplined execution, clear mission alignment, and agility under constraints.
As agencies confront the expanding attack surface, Brumby’s message is that planning has become more important than ever. Successful leaders must spend more time aligning governance, strategy, risk, and execution before they move. In the age of AI, cybersecurity leadership is no longer just about defending systems. It is about building the confidence, partnerships, and operating models needed to execute the mission in a world where the pace of change will not slow down.
Key Takeaways
Wood explains that traditional cybersecurity often followed what he calls the “castle and moat” model. In that model, organizations focused heavily on keeping attackers outside the perimeter. Once a user, device, or system was inside the network, it was generally treated as trusted. But modern cybersecurity no longer allows that assumption. Zero trust starts from a different premise: the attacker may already be inside.
To explain the mindset shift, Wood turns to the story of the Trojan Horse. Troy’s walls held for years, but the city fell because the threat was brought inside and trusted. For Wood, that ancient lesson maps directly to modern cybersecurity. Agencies cannot assume that everything inside the network is safe. They must continuously verify users, systems, devices, and behaviors.
That shift is especially important for an environment as broad and complex as the Department of the Navy. The Navy operates across vast geographies, including the Indo-Pacific, and supports mission environments where users, systems, data, and operational needs are highly distributed. Implementing zero trust in that context is not a simple technology upgrade. Wood describes it as a wholesale rebuilding of the way security is planned and executed.
The challenge is turning a large set of zero trust activities, capabilities, and pillars into a coherent security plan. Agencies must connect tools, data, policies, identities, and monitoring so they work together. Continuous verification only works when the enterprise can see what is happening, understand behavior, and act quickly when something looks wrong.
Artificial intelligence makes that need more urgent. Wood warns that AI is democratizing cyberattacks by giving less-skilled actors capabilities that previously required significant technical expertise. He points to examples of AI tools uncovering large numbers of vulnerabilities and enabling untrained users to launch attacks at scale. If untrained actors can do that today, the question becomes what skilled attackers and nation-state teams will be able to do as these tools mature.
Supply chain risk adds another layer. Wood references the lesson of attacks like SolarWinds, where trusted software delivery channels were compromised. In that case, the danger was not only the software itself, but the trust placed in the source. Zero trust helps address that problem by shifting attention from static signatures to suspicious behavior. If systems can detect unusual east-west movement, unexpected data flows, or abnormal activity, they can identify threats even when the initial compromise comes through a trusted vendor.
Wood’s view is clear: zero trust is not a slogan. It is a practical response to a world where attackers may already be inside, software supply chains can be manipulated, and AI can accelerate offensive capability. For government cybersecurity leaders, the goal is to build environments where trust is never assumed, verification is continuous, and mission systems can operate with resilience even under pressure.
Key Takeaways
Securing the Courts: Managing Cyber Risk Across a Complex Public Sector Ecosystem
Green describes that environment as “a big bowl of spaghetti,” where it can be difficult to see where one connection starts and another ends. That complexity is a defining feature of the modern public sector attack surface. A compromise in one connected organization can create risk for another. For courts, that means cybersecurity leadership requires visibility, coordination, and a deep understanding of how systems and stakeholders interact.
Artificial intelligence adds another layer of complexity. Green says the courts are in a discovery and conversation phase around AI. Like many organizations, they see the promise of AI to improve processes, reduce workloads, and create efficiencies. But Green is cautious about adopting a new tool simply because it is powerful or popular. His priority is making sure AI is evaluated through a cybersecurity and governance lens before it becomes embedded in court operations.
That does not mean slowing innovation for the sake of caution. Green frames the challenge as enabling courts to operate securely. He does not want to introduce unnecessary risk, but he also does not want to harm efficiency. That balance is one of the hardest parts of public sector cybersecurity leadership today: making sure agencies can modernize without creating new vulnerabilities that undermine the mission.
One of the major tools helping Florida’s courts strengthen their posture is a managed security services provider model. Green explains that the MSSP provides an incident response retainer, giving courts access to professional support when they face a ransomware attack or other security incident. That is especially important because some courts do not have dedicated cybersecurity staff. In smaller environments, the same person may be responsible for CIO duties, servers, email administration, and other IT functions.
The MSSP also provides access to a service catalog that includes offerings such as internal and external penetration testing. Those services help identify gaps and reduce risk across the court system. As more courts use the model, Green says the overall cybersecurity posture of the statewide system improves.
The model also gives court leaders agility. They can access expertise when they need it, especially during an incident, without having to build every capability internally. Green says that flexibility provides reassurance to CIOs and IT leaders who worry about being the next target.
Looking ahead, Green is particularly focused on dependence. As organizations rely more heavily on AI for daily processes, answers, workflows, and decision support, those AI systems become high-value targets. His concern is straightforward: the more essential AI becomes to operations, the more attractive it becomes to malicious actors.
For Green, the future of cybersecurity in the courts will require careful AI adoption, stronger shared services, and a clear-eyed view of interconnected risk. The mission is not to say no to innovation. It is to make sure innovation is implemented securely enough to support the courts, protect stakeholders, and maintain trust.
Key Takeaways