A new SANS Institute survey highlighted persistent resource gaps facing public sector cybersecurity programs, finding that only one in three government cybersecurity initiatives is fully funded despite mounting pressure from evolving cyber threats and operational demands. 63% cite budget limitations as their primary obstacle, and security leaders make hard trade-offs on which risks to address. Moreover, outdated infrastructure, disconnected systems, and slow procurement processes prevent full integration of existing security tools across government environments, leaving organizations with multiple independent security measures in place of a coordinated defense.
The 2026 Cybersecurity Readiness in Government Survey points to ongoing concerns about preparedness, investment, and government agencies’ ability to sustain effective cyber defense strategies as threat activity and infrastructure complexity continue to grow. Security teams that have spent years building policy frameworks are running into execution capacity as the limiting factor, with budget pressure and staffing limitations determining how much of what is planned actually gets done.
More than half of respondents report difficulty recruiting and retaining qualified professionals. Staff training and awareness (41%) and threat detection and response (40%) are the functions they identify as most resource-constrained; the two capabilities most central to whether a security program holds up in practice. 55% of organizations report a fully implemented strategy, but only 22% rate themselves as capable of executing it at scale. The gap between having a plan and having the capacity to act on it is where most programs stall.
“Converting governance into working capability is where efforts stall,” Ryan Nicholson, SANS senior instructor and author of the report, said in a Wednesday news statement. “Funding shortfalls and workforce constraints are the specific pressure points keeping teams from closing that gap. The path from mid-stage maturity to fully capable security teams runs through workforce development, automation, and technology integration.”
He added. “This survey gives security leaders a clear picture of where they stand and what the data says to focus on next.”
SANS found that only 55% of organizations report having a fully implemented cybersecurity strategy, while nearly a third are still developing or updating theirs, and many lack consistent annual review practices. Although 65% of organizations classify themselves as ‘established’ or ‘advanced,’ only 22% consider their programs truly ‘optimized,’ with roughly 30% still in early or development stages.
Funding remains a critical barrier, as just one-third of organizations report that their programs are fully funded, more than half report partial or insufficient funding, and 63% cite budget limitations as a primary obstacle. Staff training and awareness (41%) and threat detection and response (40%) are the most resource-constrained areas, and more than half of organizations struggle to recruit and retain qualified cybersecurity talent.
This comes as government entities face compounding structural barriers, including lengthy hiring processes, private sector pay competition, and security clearance requirements that further narrow the pool of eligible candidates. These staffing constraints directly undermine core security functions such as threat detection, incident response, and security monitoring, all of which depend on skilled analysts to interpret alerts and coordinate responses.
Threat detection and response, compliance auditing, and third-party risk management consistently rank as high-pressure functions, compounded by competing organizational priorities that hinder execution. Many organizations find it difficult to translate strategy into action, as conflicting priorities, unclear ownership, and inconsistent governance models hinder the progress of cybersecurity initiatives.
“This level of strategic maturity shows notable progress. In earlier phases of building a cybersecurity program, organizations often focus on creating basic policies, defining roles and responsibilities, and establishing governance structures to guide security decisions,” SANS reported. “The widespread presence of formal strategies among respondents indicates that many government organizations have successfully advanced past those initial stages. Cybersecurity is now widely acknowledged as a leadership issue that requires ongoing planning, oversight, and coordination across technical and operational areas.”
However, the data also shows that strategic maturity differs among government organizations. Many agencies say they have fully implemented strategies, but a significant number report that their strategies are still in development or being revised. This uneven progress reflects the complexity of modern government technology environments. Rapid changes toward cloud infrastructure, distributed workforces, identity-focused security models, and more advanced threat actors require organizations to reevaluate how cybersecurity strategies are organized and carried out continuously.
SANS reported that the broader implication is that government organizations have largely succeeded in establishing the governance foundations needed to manage cybersecurity risk. “The remaining challenge is turning these strategic frameworks into consistent operational capabilities. Strategy alone does not improve security outcomes. Its value depends on organizations’ ability to operationalize policies, processes, and technologies across complex environments.”
It highlighted that the next phase of program development should prioritize ensuring that current strategies are backed by operational capabilities that enable them to work effectively in practice, rather than focusing mainly on creating new strategic frameworks.
Clearly, advancing cybersecurity programs from established to optimized requires seamlessly integrated tools, automated detection and response, advanced analytics, and continuous threat intelligence, capabilities that many government organizations struggle to achieve. Outdated infrastructure, disconnected systems, and slow procurement processes prevent full technology integration, leaving security measures functioning independently rather than as a unified defense.
Compounding this, complex government networks with legacy applications and distributed environments demand extensive cross-team coordination to maintain adequate security visibility. Together, these challenges explain why many programs plateau at mid-level maturity. While basic governance and controls are in place, the deeper operational integration needed for truly optimized security remains out of reach.
The SANS report noted that combined funding shortfalls and workforce gaps keep many cybersecurity programs stuck at mid-level maturity, where strategic frameworks exist but lack the resources for full implementation. Moving forward will require less focus on developing new strategies and more emphasis on securing the resources to execute existing ones, particularly through targeted investments in workforce development, automation, and operational integration, to advance organizations toward truly optimized cybersecurity operations.
In conclusion, the SANS 2026 Cybersecurity Readiness in Government Survey reveals that while government agencies have made meaningful progress over the past decade, such as establishing formal strategies, governance frameworks, and oversight processes, most remain in a transitional maturity phase. Basic controls and governance structures are now widespread, but few organizations have achieved the operational integration and automation required for fully optimized cybersecurity, with most operating at a mid-level maturity where sound policies exist but execution is strained across increasingly complex technology environments.
“Funding limitations and workforce shortages significantly hinder bridging the gap between strategic intentions and operational capabilities,” SANS reported. Security leaders are often tasked with modernizing infrastructure, enhancing threat detection, and supporting growing digital services despite tight budgets and limited staff. These challenges make it hard for organizations to fully implement cybersecurity plans or expand security operations to keep up with the complexity of modern government systems.”
Last month, SANS and GIAC identified that the cybersecurity workforce problem is no longer about headcount. It is about capability. Teams are in place, but too often lack the skills needed to defend against current threats. The data is unambiguous. About 60% of organizations say their teams lack the right skills, while regulatory pressure on hiring has surged from 40% to 95% in just a year. At the same time, 27% of organizations report breaches directly linked to these capability gaps. AI is compounding the shift, reshaping entry-level roles that once served as the industry’s training ground.
