Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jul 14 2026
Security

Q&A: Why Security Readiness Matters More Than Security Coverage in the AI Era

CDW’s Nik Alleyne explains why government agencies should prioritize measurable detection, response and adaptability over simply expanding their security toolsets.

State and local governments continue to strengthen their cybersecurity programs as they modernize infrastructure, defend critical services and adopt artificial intelligence. Yet even after years of investment in security technologies, many agencies still struggle to answer a fundamental question: How prepared are they to detect, respond to and contain today’s evolving cyberthreats?

We sat down with Nik Alleyne, head of managed services security for CDW, to discuss why many government organizations still lack confidence in their security posture, how AI is changing both the threat landscape and cyber defense, and why measurable detection and response capabilities are becoming the true indicators of security readiness.

Click the banner below to explore the next phase of cyber resilience.

 

STATETECH:  Government agencies have invested heavily in cybersecurity tools, yet many still lack confidence in their security posture. Why?

ALLEYNE: That lack of confidence stems from the hype that surrounds the technologies they invested in. Some technology companies promise to stop breaches rather than to reduce the chances of a breach or the number of breaches. Every new security provider promises to stop the next major attack. Then there are those who claim their solution would have stopped it. This cycle continues.

Agencies have to ensure they’re looking at security primarily from a risk-based perspective. Once that is understood, they can then figure out which tools best mitigate that risk, without getting emotionally attached to the technology.

STATETECH:  STATETECH: What’s the difference between having security “coverage” and having real security readiness?

ALLEYNE: Security readiness starts with a mindset. It is the organization looking at security from a risk-based perspective. Every organization knows it needs to consider risk as part of its operations, whether that is financial risk, reputational risk or some other risk. Security readiness must be seen from this perspective. Based on its risk appetite and risk tolerance, that will then influence how effective its security readiness is.

Having coverage suggests that the organization is more inclined to meet compliance requirements from the perspective of some framework, so they can conclude, “We have coverage of XYZ.” And that’s great. However, when something deviates from these frameworks, is your security program designed to adapt quickly to this new threat?

Security readiness is about being able to not only adapt but also evolve to the ever-changing security landscape. Security readiness rather than coverage becomes even more critical in the world of Anthropic’s Mythos and other AI-based tools and threats.

READ MORE: Debunk AI security myths for government agencies.

STATETECH:  STATETECH: Security teams are flooded with alerts, dashboards and threat data. What can agencies do about alert fatigue?

ALLEYNE: Alert fatigue is real. The problem, as new security technologies come online, is that they all promise to reduce alert fatigue, when in fact they contribute more to it.

The assumption today is that AI will help us solve alert fatigue. I think it will. However, at the same time, while AI may help us address the alert fatigue problem, we may be bringing on a new problem. The assumption is there should always be a human in the loop for certain AI decisions. What does that mean in the context of an evolving threat landscape?

The other issue, while we move from the traditional Tier 1 role to more of an AI governor role, is whether Tier 1 analysts will simply click “accept” or “approve” on whatever the AI produces. If this happens, we no longer have an alert fatigue problem but instead a greater automation bias. Tier 1 analysts begin trusting the automated workflow simply because the AI says so.

STATETECH:  Why do detection and response capabilities matter more today than simply adding more preventive controls?

ALLEYNE: The ability to detect, which is measured by your mean time to detect, your ability to respond, measured by your mean time to respond, as well as your ability to contain, measured by your mean time to contain, are more critical today than they have ever been. The primary reason for this is the speed with which threat actors can increase the scope of their attacks. Using machine learning and AI tools, threat actors can execute their attacks with speed. This means we have to be able to detect, respond and contain with similar speed.

Add the complexity of tools such as Mythos and their ability to not only detect vulnerabilities but also create exploits for those vulnerabilities, and the situation has become more perilous. The risk of running any technology based on software — which is almost everything today — means agencies must determine during system design or procurement how to ensure security remains the No. 1 priority.

At the early stage, the agency can decide how to address the risk. Should the risk be avoided? Should it be accepted? Should the risk be transferred? More often than not, the risk will be mitigated through technical controls. Those controls support prevention. However, when prevention fails, there must also be a clear understanding of how to detect, respond and contain an attack.

LEARN MORE: Here are some insights into building critical cyber resilience.

STATETECH:  What are the most common signs that a government agency’s security program looks mature on paper but is weaker in practice?

ALLEYNE: To determine how effective and robust an organization’s security program is, the organization does not have to look far. One question organizations can ask is, “How measurable is my security program?” The good part is your security program can, in many cases, be measured quantitatively rather than being subjective and speculative.

Here are eight key things agencies should consider:

  1. Vulnerabilities identified. Every software platform has vulnerabilities, whether intentional or accidental. For example, Mythos Preview found a 27-year-old vulnerability in OpenBSD, which is known to be one of the most secure operating systems. The fact that it was not found yesterday does not mean it will not be found tomorrow. In fact, we should expect that it will be found tomorrow. Another example is Mozilla using Mythos to uncover 271 bugs in Firefox 150.
  2. Vulnerabilities remediated. Now that we know we cannot escape the world of vulnerabilities, and that more of them will be identified even faster, how do we remediate them more quickly? This is going to be a major challenge. Think about Microsoft Patch Tuesday, which occurs once a month. Even with patches being released monthly, organizations have a difficult time keeping up. Imagine what will happen as AI tools identify vulnerabilities at greater speed while applying patches still takes time.
  3. Threats prevented. Threat actors are always targeting your infrastructure. Do you have visibility into those attacks? If your security platforms provide that visibility, you now have measurable data: malware attempts, phishing campaigns, business email compromise and other attack types.
  4. Threats detected. Even with firewalls, endpoint detection and response, extended detection and response, managed detection and response, email filtering and other preventive technologies, organizations are still being compromised through multiple attack vectors. There is a serious operational impact if agencies are unable to prevent or even detect these threats. There is also the potential loss of public trust.
  5. Mean time to detect. Once threats exist, how quickly are you finding them? Is a mean time to detect of 24 hours acceptable, or should your goal be less than an hour? The answer depends on your security tools, your managed security service agreements and your threat-hunting capabilities. Agentic AI may identify suspicious activity faster than a human analyst, but only if it has the appropriate context.
  6. Mean time to respond. Detecting a threat is only the beginning. How quickly can your team take meaningful action? Competing priorities often slow response efforts, making this a critical metric to measure.
  7. Mean time to contain. Even if full remediation must wait, agencies should focus on containing threats as quickly as possible to limit operational impact.
  8. Lessons learned. The only way to truly ensure security readiness is to evolve your security program continuously. That evolution comes from learning from your own incidents as well as from attacks affecting other government agencies and organizations.

DIVE DEEPER: Intelligent IT asset management platforms boost resilience.

STATETECH:  How are staffing shortages and skills gaps affecting government cybersecurity teams in 2026?

ALLEYNE: The staff shortage issue, like alert fatigue, is real. With the advent of AI and its role within the security workspace, the need for higher-level skills becomes more important as the Tier 1 security analyst role evolves. This is now the real challenge.

Previously, we could take a Tier 1 analyst and train them to take on more advanced roles. However, if we are leveraging AI to take over many Tier 1 responsibilities, how do we develop those people into experienced security professionals when they never performed that foundational work? This is the real challenge as we look to the future.

STATETECH:  What role can managed detection and response play in helping government agencies turn security investments into measurable outcomes?

ALLEYNE: MDR plays a significant role in helping organizations address risk as their security programs evolve. Make no mistake, MDR — or any managed security service — is not a silver bullet. For this relationship to work well, the agency must be an active participant rather than a spectator.

To become truly security-ready, agencies must act on the provider’s recommendations with urgency while also providing feedback that helps the MDR provider improve its own services. That two-way relationship ensures neither partner becomes stagnant.

One of the biggest benefits is cost. It is often more cost-effective to work with an MDR provider such as CDW than to build and staff an in-house security operations center.

More important, an MDR provider can identify trends across its customer base and share best practices and threat intelligence that individual agencies might not otherwise see. Those insights can help agencies strengthen their own security programs.

MSSP and MDR providers also support engagement at multiple levels. Security teams may meet daily, weekly or monthly to address tactical and operational priorities, while quarterly business reviews with agency leadership can help guide the long-term direction of the cybersecurity program.

Weiquan Lin /Getty Images