A Field Guide for Small City Managers
CyberReady
A practical, pocket-sized cybersecurity handbook for city managers of towns under 50,000. Under 100 pages. No jargon. No technical background required.
~100
Pages
10
Chapters
26
Templates & Checklists
5
NIST Functions Covered
Who This Book Is For
Written for the city manager,
not the IT department
Most cybersecurity books assume you have a technical background, a security team, or both. This one assumes you have a town to run and 15 minutes to spare.
🏛
City Managers
Running a town under 50,000 and responsible for everything from budgets to building permits. Cybersecurity just landed on your desk.
👥
Small IT Teams
You have an IT person, maybe two. They keep the systems running, but nobody has “security” in their job title.
🛡
Elected Officials
Mayors, council members, and department heads who need to understand the risk, approve the budget, and ask the right questions.
The Problem
Small-city ransomware can knock water billing offline for weeks with six-figure recovery costs. A single phishing email can redirect payroll to an attacker’s account. A records breach exposes resident PII and triggers lawsuits. These aren’t hypotheticals. They happened to cities just like yours.
Framework
Anchored to the NIST Cybersecurity Framework
Every chapter maps to one of the five NIST functions. You don’t need to memorize the framework — just know it’s the backbone organizing every recommendation in this book.
🔎
Identify
Ch 2, 5, 8
🛡
Protect
Ch 3, 4, 5
👁
Detect
Ch 6
⚠️
Respond
Ch 7
🔄
Recover
Ch 7
Table of Contents
10 chapters. Real-world structure.
Organized around your daily reality, not a textbook outline. Each chapter gives you what to know, what to do, and the tools to do it.
01
This Is Your Problem Now
NIST: All 5 Functions
Three real municipal attacks. What’s at stake. The NIST framework in 60 seconds.
02
Map Your Territory
NIST: Identify
Hardware and software inventory. Network mapping. Identifying your crown jewels.
03
Stop the Click
NIST: Protect
Phishing. Social engineering. AI-powered attacks. Building a security culture.
04
Lock the Doors
NIST: Protect
MFA. Passwords. Patching. Access control. The technical basics that stop most attacks.
05
Guard Your Data
NIST: Identify + Protect
Data classification. The 3-2-1 backup rule. Encryption. Disposal.
06
Spot Trouble Early
NIST: Detect
Warning signs. Log basics. Free monitoring. The weekly smoke check.
07
When Things Go Wrong
NIST: Respond + Recover
The first 60 minutes. Who to call. What not to do. Recovery and after-action review.
08
Vendors, Contractors & the Cloud
NIST: Identify
Your vendor’s problem is your problem. Screening questions. Managing shared access.
09
Cyber Insurance & Budgeting
Cross-cutting
Shopping for a policy. Three tiers of investment. Framing it for city council.
10
When to Hire a Professional
Cross-cutting
Signs you’ve outgrown this book. Hiring models. Red flags. Evaluation scorecard.
What’s Inside
Not just chapters — tools you’ll actually use
Every chapter includes ready-to-use templates, checklists, and decision aids. Photocopy them. Pin them to the wall. Hand them to your IT person.
8
Checklists
Step-by-step action items. Asset inventory, hardening, backups, incident response, and more.
12
Templates
Fill-in-the-blank reference docs. Risk grids, response plans, budget proposals, vendor logs.
2
Decision Trees
Branching guides for real decisions: personal devices on the network, what type of help to hire.
4
Quick Checks
Pass/fail criteria: is this system critical? Is this an incident? Escalation signal lists.
The 15-Minute Quick Start
Get an immediate picture of where you stand
You don’t have to read the whole book today. Three actions give you situational awareness right now.
1
Take the Self-Assessment
One page of yes/no questions covering all ten chapter topics. Count your “no” answers — more nos means higher priority.
5 minutes
2
Run the Smoke Check
A 15-minute weekly routine: check admin accounts, review login failures, scan for new devices, verify backups ran.
5 minutes to learn
3
Review the Pocket Card
The Incident Response Pocket Card tells you exactly what to do if something goes wrong today. Laminate it. Put it by the phone.
5 minutes
Then What?
Your self-assessment scores point to your highest-priority chapter. Go there next, or start from Chapter 1 and work through sequentially. Either approach works. The important thing is to start.
“
You don’t skip building insurance because you’ve never had a fire. Cybersecurity is the same — the question isn’t whether it will happen, but whether you’ll be ready.
— From Chapter 9: Cyber Insurance & Budgeting
Your city’s security starts with
one decision — yours.
Under 100 pages. No jargon. No technical background required. Anchored to the NIST Cybersecurity Framework.