How Fairfax County uses its Partners to Build Cyber Strength

Michael T. Dent, Chief Information Security Officer (CISO) at Fairfax County Government in Virginia, is preparing for a significant transition. 

Effective 1 August 2025, he will be moving into a new role as Strategic Liaison to the CIO and CISO as part of a planned leadership succession.

The transition comes after 23 years with Fairfax County, following his military service. This extensive tenure has shaped his approach to cybersecurity leadership in one of America’s largest local governments.

“My military background instilled a mindset of discipline, accountability and mission-first leadership, values that I’ve carried into my work in public sector cybersecurity,” he says.

His approach to cybersecurity emphasises integration rather than isolation. Cybersecurity is embedded in everything from budgeting to public-facing services, with accountability extending to executive level leadership.

“No security programme succeeds if it operates in a silo or if exceptions are made for VIPs,” Michael explains. “You have to be resourceful, collaborative and able to explain cyber risk in plain terms, because at the end of the day, you’re securing not just infrastructure, but democracy at the local level.”

This philosophy has guided the development of Fairfax County’s comprehensive cybersecurity framework.

Fairfax County’s commitment to digital resilience

Located in the heart of Virginia, Fairfax county serves over one million residents and operates extensive digital infrastructure. This scale presents unique challenges in balancing security requirements with accessibility and public service delivery.

With this in mind, the county’s enterprise-wide IT risk management program is designed to be both comprehensive and intentional. Michael says that what makes it so effective is that it’s built not just to “check compliance boxes”, but to “ensure the security, resilience and trustworthiness of every county service that touches technology”. 

He adds: “What makes it effective is that it’s embedded at every level, from our core Information Technology Security Policy, which outlines the minimum-security requirements across all platforms, to aggressive, ongoing risk assessments that inform action and accountability.”

The cybersecurity programme operates under a robust vulnerability and risk management model, which means the county is constantly assessing its security posture, validating controls and adapting to evolving digital threats. This is undertaken on a continuous cycle, with the programme covering every county IT asset across every platform and department to ensure there are no blind spots in infrastructure, applications, or operations.

“We take compliance seriously, aligning with federal, state and local requirements, from HIPAA and PCI-DSS to NIST guidelines and we have governance structures in place to ensure that alignment isn’t just documented, but operationalised,” Michael says. “Our Governance, Risk and Compliance (GRC) approach is a cornerstone. Within Fairfax County Public Schools, for example, the Office of Cybersecurity includes a dedicated GRC team, reflecting how seriously we take not only risk identification but ownership and follow-through.”

The programme is strategically aligned with the Countywide Strategic Plan – a roadmap within Fairfax County that exists to help guide future work based on 10 Community Outcome Areas.

“That’s important, because cybersecurity isn’t isolated from community outcomes,” Michael emphasises. “Whether we’re enabling digital equity or safeguarding critical infrastructure, our goal is the same: to provide the residents of Fairfax County with secure, reliable access to services they depend on.

“We built a programme that’s both technically sound and strategically aligned and that’s why it works.”

‘Doing more with less’

Michael explains that Fairfax County, as a local authority, has had to do ‘more with less’ when it comes to funding. In order to maximise cybersecurity impact across the region, Michael says the organisation has had to drill down on strategy. 

“When resources are limited and they often are in local government, success comes down to focus, discipline and leadership alignment,” he says. “We start by being strategic. We don’t try to do everything at once. We prioritise the highest-impact areas, identity, access, resilience and visibility and ensure our investments are scalable, sustainable and aligned to our overall enterprise architecture. 

“Every dollar has to count, so we focus on capabilities that reduce risk across the board, not just point solutions.”

The county also makes sure to emphasise strong governance and accountability, viewing its cybersecurity programme as an integral part of the county’s overall risk management strategy. 

“By embedding cybersecurity into procurement, budgeting and executive planning, we ensure that protection is baked into how we operate, not bolted on after the fact,” Michael explains. “Collaboration is another key lever. We actively engage with regional and national partners, tap into threat intelligence sharing and participate in joint planning and exercises. That kind of coordination amplifies our internal efforts and gives us a clearer picture of what’s coming over the horizon.”

To set itself apart, Fairfax County has also built a culture of ownership, meaning that cybersecurity is a shared leadership responsibility, rather than leaving it just to the CISO.

“We hold the entire organisation accountable, no executive exceptions, no silos and no disconnect between policy and practice,” Michael says. “When leadership models the right behaviour, the organisation follows.

“Doing more with less isn’t easy but with clarity, collaboration and leadership will, it’s possible. Fairfax is proof of that.”

It can be a challenge to balance the technical complexities of cyber defence with the need to communicate risks and protections to both county leadership and residents in an accessible way. In order to achieve these things, Fairfax County prioritises translation and trust.

Michael says: “As the CISO of Fairfax County, I focus on building shared understanding with both county leadership and the public. When it comes to executive leadership, I translate risk in terms that align with their priorities: operational continuity, financial impact, service delivery and public trust. Connecting security decisions to mission outcomes is what drives investment and accountability.

“For residents, it’s about transparency without fear. We don’t overwhelm people with jargon, but we also don’t sugarcoat reality. We explain what steps we’re taking to protect their data, how they can protect themselves and why cybersecurity is part of good governance.”

He highlights that this balance is possible because of strong leadership support within Fairfax itself.

“The Department of Information Technology works hand in hand with county executives and agency partners,” he says. “We’re building a culture where cybersecurity isn’t a tech issue, it’s a community value.”

Building connections for greater resilience

Fairfax County holds a number of partnerships that are essential to improving its cybersecurity posture. 

For instance, its alliance with cybersecurity leader Arctic Wolf means that it can reap the benefits of AI-driven technology to enhance its security measures. The company’s expertise and commitment to customer success has supported Fairfax County’s ongoing efforts to maintain a resilient cybersecurity framework.

“Fairfax County’s partnership with Arctic Wolf is a recent but promising development and, while we don’t currently utilise their Managed Detection and Response (MDR) platform, we’ve adopted their endpoint protection solution, Aurora, which was formerly known as Cylance,” Michael says. “Aurora’s ability to proactively prevent threats before they execute aligns perfectly with our goal of staying ahead of emerging cyber risks. 

“The transition from Cylance to Aurora has been seamless, thanks to Arctic Wolf’s genuine, professional and supportive approach during this period of change. Their team has been highly engaged, ensuring that we’re fully equipped to maximise the capabilities of the platform.

“We’re genuinely excited about this partnership and confident that Aurora will continue to strengthen our defences against modern cyber threats.”

Likewise, the county is leveraging the software company Splunk for its security information and event management (SIEM) capabilities to gain greater visibility across its IT infrastructure. Splunk has supported by aggregating and analysing large volumes of data from various sources, which has helped Fairfax to detect suspicious activities and potential security incidents in real time.

“The advanced analytics and customisable dashboards allow us to quickly identify patterns and take proactive measures to mitigate risks,” Michael says. “This level of visibility not only enhances our security operations, but also supports compliance with regulatory requirements – ultimately strengthening our overall security posture.”

Another powerful partner for the county is Lookout, which offers support for mobile security. Given that Michael works in a government environment for the county, he explains that all staff need secure access to the sensitive data across multiple locations and devices. 

“This is a critical component of our security strategy,” he notes. “Our collaboration with Lookout as a mobile security partner has been pivotal in addressing this challenge. Lookout provides comprehensive mobile threat defence, safeguarding our devices from a wide range of threats including malware, phishing and network attacks.”

Lookout’s solution is able to integrate successfully with Fairfax County’s existing infrastructure and offers real time threat intelligence and protection without compromising on user experience. 

Michael says: “This ensures that our employees can work securely and efficiently, no matter where they are.”

Creating a stronger blueprint at county government level

Looking ahead, a range of critical cybersecurity challenges could face county governments, particularly as threat actors become more sophisticated.

For Michael, county governments sit at “the intersection of critical infrastructure constituent services and limited resources”. He says this makes “our cybersecurity challenge unique and urgent”.

One such challenge is the continued surge of ransomware and supply chain attacks.

“Local governments often rely on interconnected systems, shared platforms and third-party vendors to deliver services, from courts and health systems to public safety and that interconnectedness can become a liability if not managed with rigour,” Michael explains.

“Equally important is the growing gap in cybersecurity talent. While threats are escalating, the competition for experienced cyber professionals is intense and local governments often can’t match the private sector on salary. That puts even more emphasis on retention, culture and leadership development.”

Another challenge Michael cites is the misalignment between risk and authority. He argues that often, CISOs are tasked with defending their enterprise, but don’t actually have the executive authority or financial backing to make decisions that match risk level.

“That’s something I’ve worked hard to change in Fairfax, because cybersecurity must be treated as a leadership issue, not just a technical one,” he explains.

“Emerging technologies like Gen AI also introduce both promise and peril. These tools can enhance efficiency and threat detection, but only if implemented with strong data governance, ethical oversight and clear boundaries. 

“That’s why Fairfax has been proactive in developing policy guidance and guardrails for AI use, rather than waiting for mandates to catch up.”

In order to better position itself to tackle these issues, Fairfax County has built its cybersecurity programme around resilience, adaptability and leadership accountability. This is the foundation that Michael says ensures the county keeps ahead of emerging threats.

“We’ve moved from a reactive mindset to a risk-driven, enterprise-wide approach,” he explains. “Our programme is embedded in county operations, from procurement and budgeting to continuity planning, so cybersecurity isn’t an afterthought; it’s part of how we do business. We use data-driven insights and continuous assessments to inform priorities, rather than chasing headlines.”

The county is also prioritising Zero Trust cybersecurity principles in a way that is scalable and sustainable for the public sector.

“We know we can’t do everything at once, so we prioritise core capabilities – identity, access, resilience and visibility – which have broad impact across our ecosystem,” Michael says. “We’ve also built a cross-agency, collaborative environment that makes cybersecurity everyone’s job, not just the security teams. That’s allowed us to lead regional efforts, influence national policy discussions and share what works with peers across the country.”

He adds: “We’re embracing innovation responsibly. We’re focused on building a future-ready programme that supports digital transformation while keeping our residents safe, informed and confident in their local government.”