Donald Gainsborough is a prominent figure in the intersection of public policy and technological advancement, currently serving as a lead strategist at Government Curated. With an extensive background in navigating the complex legislative landscapes of state and local government, he has become a vocal advocate for modernizing the public sector workforce. In this conversation, he explores the shift from traditional security prevention to organizational resilience, the urgent need for skills-based hiring to attract younger talent, and the transformative potential of automation for small, overburdened IT teams.
Operational disruptions now characterize the vast majority of cyber incidents, directly impacting essential services like schools and hospitals. How should agencies shift their focus from simple prevention to resilience, and what specific steps can a local government take to maintain public trust during a lengthy service outage?
We have reached a point where prevention alone is no longer a sufficient strategy, as evidenced by the fact that 86% of cyber incidents now involve significant operational disruptions. When a hospital or a school goes dark, the impact is visceral and immediate for the community, which means our definition of success must evolve from “blocking attacks” to “maintaining continuity.” To build true resilience, local governments must integrate security into the very DNA of their agencies, ensuring that mission-critical functions can persist even during a breach. Maintaining public trust during these periods requires radical transparency and a demonstrated commitment to restoration; citizens are often more forgiving of an outage than they are of a perceived lack of preparation or honesty. By making resilience a core part of the agency’s culture, leaders can show the public that they have the protocols in place to protect essential services, even when the worst-case scenario becomes a reality.
The public sector workforce currently has a significant shortage of professionals under the age of 30 compared to the broader economy. What specific barriers in traditional government hiring processes discourage younger talent, and how can agencies successfully transition to a skills-based model that prioritizes capability over degrees?
The disparity is quite alarming when you look at the datfewer than 9% of the federal workforce is under the age of 30, whereas that demographic makes up nearly 23% of the total U.S. workforce. The primary barriers are our own rigid, legacy requirements, such as mandating four-year degrees or extensive prior government experience, which effectively shrink the talent pool before we even begin interviewing. To fix this, we have to move toward a skills-based hiring model where we test candidates for what they can actually do—their cutting-edge, modern tech skills—rather than where they went to school. This involves utilizing hands-on curriculum, inclusive lab access, and role-based certifications that allow a veteran or a community college graduate to prove their worth on Day 1. By broadening the funnel to include mid-career professionals and those with adjacent technical skills, we can create a more diverse and capable workforce that isn’t held back by outdated pedigrees.
Many organizations face chronic staffing shortages while simultaneously managing aging legacy technology. How can leaders effectively upskill their current IT staff to handle modern threats, and what specific mentorship or training programs have proven most effective at improving retention in high-pressure public sector environments?
In an environment where 67% of organizations report a staffing shortage, the most strategic move a leader can make is to invest in the people they already have. Upskilling IT professionals to handle specialized cybersecurity challenges not only fills immediate technical gaps but also sends a powerful emotional signal that the employee is a valued, long-term asset to the mission. We have seen great success with programs that emphasize continual learning and cross-training, allowing staff to rotate through different roles to keep their skills sharp and their perspectives fresh. Mentorship is the “secret sauce” here; by pairing seasoned experts with those transitioning into cyber roles, you foster a collaborative culture that can withstand the high-pressure nature of public service. When an agency prioritizes recognition and professional growth, it creates a sense of purpose that private sector salaries often struggle to compete with.
With nearly 90% of security teams reporting notable skills gaps, automation is often viewed as a necessary force multiplier. How can a small team with a limited budget begin integrating AI into their routine monitoring, and what metrics should they use to measure the reduction in manual workload?
Small teams often feel like they are fighting with one hand tied behind their backs, but AI and automation allow them to punch significantly above their weight class. By integrating automated threat detection and incident response platforms, a lean staff can receive unified visibility across endpoints, networks, and clouds, which effectively closes the gaps that attackers love to exploit. The goal isn’t to replace humans but to free them from the “drudge work” of routine monitoring so they can focus on the most complex, high-stakes problems. To measure success, agencies should track the “mean time to remediation”—basically, how quickly can we find and fix a problem—and look for a measurable reduction in the manual hours spent on Tier 1 alerts. It is about helping people do more with less, turning a small group into a formidable defensive force through smart technology investments.
Regional initiatives and public-private partnerships are increasingly being used to introduce high school and technical students to public service careers. How can jurisdictions without these established networks begin building a talent pipeline, and what specific hands-on experiences best prepare a student for a Day 1 security role?
Building a pipeline from scratch requires looking outside your agency walls and engaging with local technical schools and community colleges as vital strategic partners. We have seen brilliant examples of this, such as Virginia’s CyberSlam 2025, which brought 500 high school students together, and initiatives in D.C. where 50 technical students explored real-world public service tech. For jurisdictions starting from zero, the key is to offer hands-on experiences—like workforce-ready academies and immersive labs—that simulate the actual pressure and tools of a security operations center. These practical, role-based training programs are much more effective at preparing a student for a Day 1 role than any textbook could ever be. By creating these entry points, even the smallest jurisdiction can begin to cultivate a local crop of talent that feels a personal connection to protecting their own community.
What is your forecast for state and local cybersecurity?
I believe we are entering an era where the “human element” will finally receive the same level of investment as the technical one. My forecast is that state and local agencies will increasingly abandon traditional hiring gatekeepers in favor of a “capability-first” approach, leading to a much more resilient and demographically diverse workforce. We will see a massive surge in the adoption of AI-driven automation as a survival mechanism for small teams, which will paradoxically make public sector roles more attractive because the work will be more about high-level strategy and less about manual data entry. Ultimately, the agencies that thrive will be those that embrace public-private partnerships and treat cybersecurity not as an IT expense, but as a foundational pillar of public safety and community trust. The stakes are undeniably high, but the shift toward a more inclusive, tech-empowered team structure gives me a great deal of optimism for the future.
