Memorial Day Security Heroes: Honoring Cyber Defense Work

Memorial Day in the United States is about the people who died in service to the country. That is the first thing to acknowledge and not blur. But there is a related category of public service that rarely gets public recognition, and that I want to spend a few paragraphs honoring: the people who quietly defend the digital infrastructure that the rest of the country depends on.

These are not soldiers, and I am not going to pretend the comparison is one-to-one. The work is different, the stakes are different, and the sacrifices are different. But the work is consequential, it is unglamorous, and it is done overwhelmingly by people nobody will ever read about. After two decades of working alongside public sector IT organizations — school districts, county governments, state health agencies, and the contractors who support defense and intelligence work — I have formed a specific appreciation for what this work actually looks like on a Tuesday afternoon. It is worth describing honestly, because the people doing it rarely describe it themselves.

What public sector cyber defense actually is

The popular image of cybersecurity work involves dark rooms, green terminals, and dramatic countdowns. The reality in a county IT office is a lot more like this: a woman in her forties with two kids and a state pension, running vulnerability scans against the assessor's office web application because the federal grant money came in and she has thirty days to document compliance with a new CISA directive. She will not be in a movie. She is the front line.

Public sector cyber defense is mostly patch management, configuration hardening, log review, and user training — done under budget constraints that would make a Fortune 500 security team laugh, and against adversaries who include nation-state actors. Ransomware groups have been explicit about targeting municipal governments because the pressure to restore services is enormous, the budgets for modern defenses are small, and the political pain of a prolonged outage makes payment more likely. The people defending these environments are doing it with a fraction of the resources and against a share of the attention that the private sector brings to bear for far less critical systems.

The K-12 cybersecurity landscape is a particularly stark example. School districts hold sensitive student data, rely on learning platforms during school hours, and usually have a total IT staff that can be counted on one hand for an entire district. The person responsible for the security of 15,000 students' records is frequently also the person who rebuilds classroom projectors when they break. Somehow, largely, it works. That it works is a quiet kind of heroism, and it is mostly invisible.

The defense industrial base

Then there is the work that actually does touch national defense — the contractors and internal government teams who maintain the classified and controlled-unclassified networks that the military and intelligence communities depend on. I am not going to pretend to speak to the inside of SCIFs I have never been in. But I will say this: the work is done under compliance regimes (CMMC, FedRAMP High, various flavors of STIG) that are not designed to be friendly to the people implementing them, and the people who do it well tend to be unusually patient, unusually careful, and unusually willing to accept that the public face of their career is going to be "works in IT."

The same is true of the people who maintain the unclassified government systems that hold VA records, Social Security data, Medicare enrollment, passport applications, and the many other systems that touch every American's life. When those systems work, nobody notices. When they fail, it is a catastrophe for the people who depend on them. The defense of those systems is not glamorous and it is not celebrated, and I want to note that the absence of celebration is itself a form of success. The day we start hearing about these systems by name is usually the day something bad happened.

What the work costs the people doing it

I want to be honest about the costs, because romanticizing the work doesn't honor it — naming the cost does.

The cost of public sector cybersecurity work is first and foremost financial. Public sector salaries lag private sector salaries significantly, and the gap has gotten worse as private sector security salaries have climbed. The people who stay in the public sector are, with few exceptions, staying for reasons other than money — mission, stability, geography, or genuine belief in the work. That is a form of service even if the word makes some people uncomfortable.

The second cost is psychological. Defenders only get the bad days. When the attack is prevented, the reward is that nothing happened and nobody noticed. When the attack succeeds, the reward is the phone call from a reporter, an emergency board meeting, and months of remediation. That asymmetric feedback loop is hard on people over the long term. I know defenders who left the field not because they weren't good at it but because they couldn't keep absorbing the emotional weight of being the only thing standing between a determined adversary and a pile of citizen data.

The third cost is career. Cybersecurity work done in the public sector is harder to market in ways that translate to raises, and the compliance-heavy nature of public sector work can narrow someone's skills in ways that make transitioning out later more difficult. The people who stay are aware of this trade-off. Most of them made it with eyes open.

What recognition would actually look like

I do not think what public sector defenders need is a parade, and frankly I suspect most of them would find a parade uncomfortable. What they need is different.

They need funding that matches the threat environment. The federal State and Local Cybersecurity Grant Program is a start but it is nowhere near enough, and it is structured in ways that disadvantage the smallest jurisdictions — the ones most likely to be successfully attacked. Redirecting meaningful money to county and municipal cybersecurity would do more for national resilience than most of what gets called "infrastructure investment."

They need cover. When something goes wrong, the first reflex of elected officials is to look for someone to blame. The person who patched a hundred systems that didn't get attacked doesn't get credit for the hundred, but does get blamed for the one that slipped through. Healthy organizations defend their defenders publicly. This matters more than most non-technical leaders realize.

They need vendors who stop treating them like second-class customers. Public sector pricing is often worse than enterprise pricing, support response is slower, and the security tooling is often a version behind. That is a choice the industry makes, and it could be a different choice.

And they need, when we can offer it, quiet acknowledgment from the people who know what they do. Not a ceremony. Not a speech. Just an email from someone who understands the work saying "I know what you're doing and it matters." That goes a surprisingly long way when the rest of the world is not paying attention.

Honoring the work

Memorial Day is about remembering. This piece is not trying to borrow that meaning. But the spirit of paying attention to people whose contribution is usually invisible feels like the right frame for also paying attention to the defenders whose careers will never be mentioned in a newspaper. The quiet work of keeping the infrastructure of a democracy running — a school district's records, a county's emergency dispatch, a state agency's health system — is worth noticing.

If you know one of these people, tell them you see the work. That's the whole gesture. It's small. It's free. And it is more meaningful than most of what passes for recognition in this industry.