Government Technology/David Kidd
Governments increasingly see the value of a whole-of-state cyber strategy using the security operations center model. In Nebraska, strengthening security requires building a dedicated team and center to coordinate the work — which is especially timely as the federal government shifts some of the effort to states.
“It’s a lot of things at once,” Eccher-Young said of the JSOC, which launched in 2024. It is a physical facility within the Office of the CIO, it is a team leading state cybersecurity work, and it is a strategy, she said. She likened the JSOC to being the vehicle driving security work in the state.
The JSOC strategy’s development is already underway. Thus far, its work has focused largely on identifying key security partners — currently, the Nebraska Information Analysis Center — strengthening the state’s asset management strategy from the inside out, from the JSOC to other entities in the state, along with incident monitoring, and compliance management. Partnerships, she said, will help the JSOC team integrate information from other resources.
Officials are still shaping the JSOC and its role, she said, with greater cross-sector collaboration being a long-term goal. Currently, though, it does act as a resource for local governments in the state that have limited capacity.
“We’re still very much trying to figure out, ‘What does a whole-of-state model look like to Nebraska?’” Eccher-Young said.
Nebraska’s population is roughly 2 million people, but crossing the state by car can take more than eight hours, she said — illustrating its significant amount of rural area.
Eccher-Young’s background in local government shapes her approach to cybersecurity work at the state. This perspective involves maintaining the autonomy of county governments while supporting high-level areas like vulnerability management, where data aggregation can enable a more proactive defense strategy. By communicating cybersecurity needs from a public safety and emergency management standpoint, the state is building buy-in at the county level.
“So, starting there and understanding the ecosystem … helps us to understand the bigger-picture questions that the JSOC team is going to have to answer,” she said, such as how the state could respond to a regional security event.
As AI shapes the evolving threat landscape, state CIO Matthew McCarville is focused on education and determining what AI use cases may be valuable for the state government, Eccher-Young said.
State policy integrates the National Institute of Standards and Technology AI Risk Management Framework to help leaders responsibly determine what AI technology use cases should be explored or pursued. For example, she said, AI has been helpful in supporting asset management in the public sector.
AI and cybersecurity are interconnected in two key ways, she said: via the risk management and privacy needs that must be considered with the use of AI, but also in the power of AI as a tool to support risk management: “So, for me, it’s very much cyclical; there’s a balancing act here.”
With the federal government and state governments at something of a cybersecurity crossroads, states are increasingly expected to lead these efforts with less federal support.
“I think, like all states, we’re watching closely — trying to understand where the impacts are,” she said, underlining that in addition, officials are hoping to understand where the opportunities are: “Because you can only talk about risk for so long before it’s time to really start doing something about it.”
One such opportunity, she said, is understanding the state’s specific strengths in terms of cybersecurity services. Leaders can then explore how public-private partnerships can support other areas of work to optimize security operations at large.
Officials are also exploring working with a multistate security operations center, and how that could be beneficial to both parties.
So, even as officials hone the specific role of JSOC, its work has already begun.
“I’m looking at, ‘How do you build a really lean, agile program?’” Eccher-Young said. This includes workforce development, education and a mission-driven approach. “People are really excited about the mission.”
