Public organisations are struggling with the urgent need to increase their cybersecurity, i.e. the protection of information and information systems. The aim of this article is to examine how cybersecurity maturity in local government is improved through internal capacity-building and inter-municipal collaboration (IMC), and how the effectiveness of these strategies depends on the timing of their deployment in the development of organisational capacity. Using a two-wave survey of Swedish municipalities (2019 and 2023), we find that internal capacity-building (operationalised as the time allocated to Chief Information Security Officers, CISOs) and IMC through the Swedish Association of Local Authorities and Regions (SALAR) are associated with improvements in cybersecurity maturity, but collaboration with neighbouring municipalities is not. Moreover, the timing of these factors matters. Internal capacity-building through increasing the time allocated to the CISO is key at an early stage, while IMC through SALAR becomes more important as cybersecurity improves. Our work suggests that the level of maturity of cybersecurity capacity moderates the effect of collaboration on further improvement of cybersecurity, as higher cybersecurity capacity raises the ability to identify the problems at hand, which information from external actors is relevant and how this information should best be applied to meet local needs. • Municipalities struggle to strengthen cybersecurity; this study identify the drivers. • Two successful routes: building internal capacity and intermunicipal collaboration. • When security maturity is low, start by growing in-house capacity. • Collaboration through the national association helps; local pacts do not. • Timing matters: capacity first, collaboration later maximizes security gains.
Boholm et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: