This two-part series was written to address questions that elected and appointed officials may have about technology and its impact on their agencies. We are asking and answering tech questions that you might be wrestling with to help you understand your existing systems and make sound decisions.

IT Infrastructure and Assessment

1. How do we audit what we currently identify as the most significant vulnerabilities or bottlenecks? Are there systems we’re using that are becoming unsupported or risky to keep running?

Conduct a simple inventory first by listing all software, including version numbers and the dates of their last updates. Anything over three years old without recent updates is a red flag. Verify if vendors continue to provide security patches—unsupported software is a liability waiting to happen. Focus on systems handling sensitive data (payroll, resident records, financial data). Free tools like the Cybersecurity Infrastructure Security Agency’s Cyber Security Evaluation Tool can identify basic vulnerabilities.

For most towns, your cybersecurity insurance provider will provide basic assessment services. Otherwise, plan on budgeting $5,000 to $10,000 annually for a professional security assessment. The biggest risks are usually:

• Outdated Windows servers and operating systems (i.e., older versions that Microsoft no longer fully supports, like Windows 10).
• Unpatched software.
• Weak password policies.

2. Our staff complains that some of our software is slow or crashes frequently. How do we determine whether we need hardware upgrades, software updates, or a complete system replacement?

Start with the simplest fixes: ensure your software is up to date and that your computers have sufficient memory (8GB is the minimum, but 16GB is recommended for today’s software). If problems persist after updates, hardware limitations or software that has outgrown your needs are likely the cause. Rule of thumb: Computers over five years old typically need replacement, especially if they are running modern software. Before making major investments, document specific problems:

• Crashes when opening large files suggests memory issues.
• Slow startup might indicate hard drive problems.

Sometimes, a $200 memory upgrade resolves a problem that would otherwise require a $2,000 computer replacement.

IT Staffing and Budget Planning

3. We typically approve technology spending year by year. Should we consider multi-year technology plans? How do we budget for the ongoing modernization costs in addition to the upfront expenses?

Move to a one- to four-year technology planning cycle that is updated annually. Technology has predictable lifecycles: computers last (at best) three to five years, while major software systems are updated regularly with periodic significant version changes. Annual planning leads to crisis-driven spending and missed opportunities for coordinated improvements. Create separate budget categories for different types of IT spending:

• Ongoing costs (personnel and contractors, licenses, maintenance, support).
• Planned replacements (hardware lifecycle).
• Improvements/new capabilities.

This prevents the feast-or-famine cycle where you spend nothing for three years, then need everything at once. Key planning elements:

• Hardware replacement schedules: plan to replace desktop/laptop computers every three to five years.
• Software licensing and subscription costs.
• Cybersecurity investments: one-time purchases for hardware and software/service subscriptions.
• Staff training: includes training costs in any major system upgrades or implementation—typically 10–15% of the project cost, plus ongoing cyberwriting of employees.

The biggest mistake is treating technology as a one-time purchase rather than an ongoing operational expense. Most modern systems and services require monthly or annual fees rather than upfront costs—plan for the total cost of ownership, including maintenance, updates, and eventual replacement.

Note: While computer hardware and related software can be financed through capital bonds or leases, an increasing number of costs are becoming operating expenses that are paid through subscriptions.

Consider shared services or developing an IT consortium with neighboring municipalities to spread costs and access expertise you can’t afford individually. Document what you currently spend on tech across all departments–many municipalities are surprised to discover hidden technology costs scattered throughout their budget.

4. I work in a small town where a contractor manages our network and security. At what point do we need to consider hiring staff and transitioning to full-time or hybrid roles?

The decision depends more on operational needs than specific dollar thresholds. Consider moving to internal staff when you experience frequent delays due to contractor availability, security incidents that require an immediate response, or daily operational issues that necessitate a local presence. Key indicators for change include:

• Calling for IT help more than twice per week.
• Experiencing security vulnerabilities due to delayed updates.
• Staff productivity is suffering from IT delays.

These suggest you need more responsive, on-site support than contractors typically provide.

A hybrid model may be right for you. Hire one IT generalist internally for routine work while retaining specialized contractors for complex projects, security assessments/management, and after-hours emergency support. This provides you with responsive daily support while maintaining access to expertise that you can’t afford to have on a full-time basis. That person can also be your “tech expert” to advise you on technology decisions. Questions to consider:

• How long do we wait for the contractor’s response to urgent issues?
• Are we experiencing downtime that impacts operations?
• Do we have staff that are comfortable handling basic troubleshooting?
• Can we afford the full cost of an employee (salary plus benefits, typically 1.25 to 1.4 times base salary)?

Here, too, shared services or partnering with other municipalities to create a regional IT consortium can help by sharing full-time IT staff. That provides professional-level support at a fraction of the cost of hiring an individual. The hidden costs of contractor-only models include lost productivity and increased security risks from delayed responses.

New Technologies

5. Our staff are starting to use AI tools like generative AI chatbots for work tasks, and vendors are pitching us AI solutions. How should we approach the use of AI in our municipal operations?

Start with a simple AI policy before the technology outpaces you. The key issues are data protection, accuracy, and transparency with residents about AI use. Immediate steps: Create guidelines about what data can and cannot be entered into AI tools. Some public AI chatbots (like ChatGPT and others) retain and learn from inputs, unless your plan (free or paid) makes it clear that it does not. 

For chatbots (e.g., ChatGPT, CoPilot, Claude.ai, Gemini, etc.) that retain and learn, ensure that sensitive resident information, legal documents, or confidential data is not uploaded or used as training data for the model. This is a data security issue, not just an AI issue. Low-risk AI applications to consider:

• Drafting initial versions of routine communications.
• Summarizing meeting notes.
• Answering basic questions on your website.
• Helping with research on policy topics.

These can save staff time without major risks if properly supervised.

Ensure there is always a “human in the loop”—treat chatbot output as “draft” and not a final document or action. If the chatbot provides references or links to sources, validate the links and claims. Feel free to ask for source information when data is presented. “Trust but verify.” AI systems sometimes create false information (“hallucinations”), and catching it before using the output is crucial. High-risk applications to avoid:

• Letting AI make decisions without human reviews.
• Providing legal advice without an attorney reviewing it.
• Any process where errors could harm residents or create liability (again, actions without a human in the loop).

Knowledgeable staff should regularly review AI output to prevent mistakes.

Vendor evaluation: 

Be skeptical of AI solutions that can’t explain how they work or make decisions. AI can be amazing, but you don’t need to be the first. Many “AI” products are just regular software with AI marketing. Ask potential vendors for specific examples of other municipalities that have used the same system and their results, then check with them directly. Don’t forget to ask about the costs of training the AI system and include the time or funding needed for proper project management.

Transparency policy: 

Decide early whether and how to disclose AI assistance to residents. For example, if AI helps draft responses to public comments, residents should know that a human has reviewed and approved the final response.

The goal is to leverage AI’s efficiency while safeguarding resident data and upholding accountability. Start small, learn from experience, and expand gradually.

MARC PFEIFFER, an ICMA Life Member, is a marginally retired New Jersey town administrator and state agency manager. He is currently a senior policy fellow and assistant director at Bloustein Local, a unit of the Center for Urban Policy Research at Rutgers University. (marc.pfeiffer@rutgers.edu)