Cybersecurity is no longer absent from local government strategy, but according to research from the Local Gov Strategy Forum, it remains structurally subordinate. Despite increased investment and board-level visibility, it does not shape transformation. Instead, it sits behind financial survival and service modernisation, creating a misalignment where systemic risk is acknowledged but not architecturally addressed.

Contents

1. Introduction

When I wrote about “The Curious Absence of Cyber in Local Government Technology Strategy“, the claim was deliberately provocative.

The latest Local Government Strategy Forum research (June 2026) suggests something more precise, and arguably more concerning (“Local Government Strategy Forum, 15th-17th June 2026, Client Research Report” website and PDF).

Cyber isn’t absent. It’s present, visible, and increasingly funded. And yet it still doesn’t appear to matter.

2. Cyber Is Present, But Not Leading

The report shows that 58% of councils are increasing cybersecurity spend, placing it alongside cloud, data, and just behind AI in terms of investment priority. On paper, this looks like progress.

Cyber is now described as “board-level”, tied to governance, regulation, and organisational risk. There is a clear awareness of increasing incident rates, regulatory pressure, and systemic vulnerability. None of that is surprising. What is more interesting is what cyber is not doing. It is not shaping strategy.

3. Strategy Is Still Driven by Service Transformation

The dominant strategic priority across the cohort is not resilience, risk, or assurance. It is the modernisation of service delivery. This is framed in familiar terms:

• digital access
• automation
• AI-enabled services
• data-driven decision making

The language is about capability, efficiency, and transformation. Cyber does not appear in that framing. It sits adjacent to it.

4. Cyber’s Actual Position in the System

This is not an omission. It is a positioning decision. Cybersecurity is treated as a constraint on transformation, not a determinant of it. It appears in the report in three consistent ways:

• First, as governance.
  Something to align with frameworks, codes, and upcoming legislation.

• Second, as a consequence.
  Something that becomes relevant when incidents occur, services are disrupted, and regulators become involved.

• Third, as a capability gap.
  A shortage of skills, capacity, and internal expertise constrains the ability to manage risk effectively.

All of these are valid. None of them places cyber at the centre of how systems are designed, procured, or operated.

5. The Operating Environment

At the same time, the report is explicit about the conditions in which this strategy is being executed. Councils are operating under significant financial pressure, with multi-billion-pound funding gaps and a requirement to invest in technology to deliver measurable returns within 12–24 months.

They are constrained by legacy systems, fragmented data, and limited internal capacity, and are increasingly dependent on external partners to deliver transformation programmes. These are not marginal factors. They are the environment in which strategic decisions are made.

6. What This Report Actually Is

It is worth being explicit about what this document represents.

This is not a strategic analysis of local government. It is a synthesis of delegate input, survey data, and sector references, produced in the context of a vendor-facing forum. Its purpose is to describe demand, identify constraints, and signal where solution providers can position themselves.

That shapes what it does, and what it does not do.

The report captures stated priorities and perceived barriers. It does not interrogate them. It does not distinguish between different types of authority, levels of maturity, or organisational capability. It does not attempt to explain why these patterns exist, or whether they are internally consistent.

This is not a flaw in the report. It reflects its purpose. The value of the document lies in what it reflects, not what it concludes.

7. Signal versus Interpretation

Read in that context, the report provides a useful signal. It confirms that:

• AI and automation dominate investment narratives
• legacy systems and skills gaps remain persistent constraints
• councils require demonstrable returns within short timeframes
• delivery capacity, rather than ambition, is the limiting factor

These are not new insights, but they are consistently reinforced. What is less clear, and left unexplored, is whether these conditions can coexist without failure. What the report does not provide is interpretation.

It does not explore the interaction between these factors or the structural implications of pursuing transformation under these conditions. It does not examine whether prioritising service modernisation over resilience is sustainable, or how these choices compound risk over time.

As a result, the document describes a system under pressure without analysing how that system behaves.

8. The Implicit Strategic Hierarchy

Within that environment, the implicit hierarchy becomes clear:

1. Deliver financial sustainability
2. Modernise services
3. Manage cyber risk

Cyber is not ignored. It is simply third.

9. The Unresolved Tension

This matters because the same report also describes cyber risk as systemic, increasing, and operationally disruptive. Incidents do not degrade performance: they stop services.

That includes housing systems, revenues and benefits, and social care delivery. In other words, the failure mode of digital transformation in local government is not inefficiency: it is unavailability.

10. Cyber as Architecture, Not Assurance

There is a tension here that the strategy does not resolve. If cyber risk has the potential to interrupt or disable core services, then it is not just a governance issue. It is an architectural one. It should influence:

• how systems are integrated
• how data is structured and shared
• how suppliers are selected
• how services are designed and operated

But that influence is not visible in the strategic framing.

11. A Coherent but Fragile Model

Instead, the report reinforces a model in which:

• transformation is driven by service outcomes and cost pressures
• technology choices are shaped by delivery constraints and ROI
• cyber is layered on top as assurance and compliance

This is a coherent model. It is also a fragile one.

12. The Underlying Assumption

A more accurate description of the current state might be this:

• Local government is not failing to consider cyber.

It is assumed that cyber can be addressed after the fact, without fundamentally altering the trajectory of transformation. That assumption may hold in the short term. It becomes harder to sustain as dependency on digital services increases.

13. The Missing Layer

There is a layer missing from the report, and it is the one that matters most.

The document identifies cyber risk as systemic, increasing, and disruptive. It also shows that digital transformation is accelerating, driven by financial pressure and policy direction.

What it does not do is connect these two observations.

There is no attempt to model how increased dependency on digital services interacts with underdeveloped cyber capability, or how architectural decisions made under delivery pressure affect long-term resilience.

Instead, cyber and transformation are described in parallel. That is not an absence. It is a misalignment.

And it is not theoretical. It is already embedded in how systems are being designed, procured, and operated.

It will only become visible when those systems fail under conditions they were never structured to withstand.

14. Conclusion: Misalignment, Not Absence

The original argument was that cyber was missing from the strategy. The updated position is narrower and less comfortable. Cyber is present, funded, and discussed, but it is not doing the work that its risk profile would suggest. That is not an absence. It is a misalignment. And it is one that will only become visible under stress. The conditions for that failure are already in place.