Government Cybersecurity Programs Plagued by Funding Gaps and Staff Shortages, SANS Institute Reports

Executive Summary

A new report from the SANS Institute, the "2026 Cybersecurity Readiness in Government Survey," paints a grim picture of the state of public sector cybersecurity. The findings reveal that government cybersecurity programs at federal, state, and local levels are chronically underfunded and suffer from a severe shortage of skilled personnel. Only 33% of programs are fully funded, leading to significant gaps in critical areas like staff training and threat detection. This resource deficit creates a dangerous disconnect between established cybersecurity strategies and the practical ability to implement them, leaving government agencies vulnerable to attack.

Regulatory Details

The survey highlights several key statistics that define the crisis:

• Funding: 63% of government security leaders identify budget limitations as their primary challenge. Only one in three programs receives its full requested funding.
• Staffing: Over 50% of surveyed organizations report difficulty recruiting and retaining qualified cybersecurity talent. This skills gap is directly responsible for 27% of reported breaches.
• Resource Gaps: The most under-resourced functions are staff training and awareness (41%) and threat detection and response (40%).
• Strategy vs. Execution: While 55% of agencies have a fully implemented cybersecurity strategy on paper, only 22% feel they have the capability to execute that strategy effectively at scale.

These issues are worsened by outdated infrastructure, disconnected security tools, and slow procurement processes, which prevent a cohesive and modern defense posture.

Affected Organizations

The report applies broadly to government agencies across all levels: federal, state, and local. The challenges are systemic within the public sector, impacting everything from small municipal governments to large federal departments. This widespread vulnerability has national security implications, as under-resourced agencies are responsible for protecting critical infrastructure, sensitive citizen data, and essential public services.

Impact Assessment

The operational impact of these funding and staffing shortages is profound. Without adequate budgets, agencies cannot procure modern security tools, invest in necessary infrastructure upgrades, or provide continuous training to their staff. The inability to hire and retain talent means that even if tools are purchased, there is no one to operate them effectively. This leads to a reactive, rather than proactive, security posture where teams are constantly fighting fires instead of building resilient defenses. The gap between strategy and execution means that well-intentioned policies and governance documents fail to translate into tangible security improvements, leaving agencies exposed to the very threats their strategies were designed to prevent.

Compliance Guidance

To address this crisis, government leaders and cybersecurity professionals should pursue a multi-faceted approach:

1. Advocate for Sustained Funding: Security leaders must become adept at communicating risk in financial terms to legislative bodies and executive leadership. Tying budget requests directly to the potential impact of specific threats (e.g., ransomware attacks on public services) can make the need for funding more concrete and compelling.
2. Focus on Workforce Development: Governments must create more attractive career pathways for cybersecurity professionals. This includes offering competitive salaries, providing clear opportunities for advancement, and investing heavily in training and certifications. Partnerships with universities and apprenticeship programs can help build a sustainable talent pipeline.
3. Prioritize and Automate: In a resource-constrained environment, prioritization is key. Focus limited funds and personnel on protecting the most critical assets and data. Invest in security orchestration, automation, and response (SOAR) platforms to automate repetitive tasks, freeing up skilled analysts to focus on high-value work like threat hunting and incident response.
4. Embrace Shared Services: Smaller agencies should explore shared security services models, where a central entity (e.g., a state-level SOC) provides security monitoring, incident response, and expertise to multiple organizations. This consolidates talent and provides a higher level of security than any single agency could afford on its own.