Skip to Content
League of Minnesota Cities
Search
close
City Spot blog
close

How to save a PDF

If you would like to save the page you’re viewing as a PDF document, here are the steps:

  1. Click icon with 3 stacked dots Setting button with vertical dots / Setting button with horizontal dots or Setting button with stacked lines lines to the right of the URL bar at the top of your browser
  2. Select the “Print” option
  3. A pop up window like this one should appear, ensure the Destination field is set to “Save as PDF” (this may be a dropdown or “Change” button)
  4. Click “Save,” then select the location and name for the file on your computer

Still not sure? 

View additional instructions for the most common browsers.

Meet Our Team: Q&A With Cybersecurity Loss Control Consultant Christian Torkelson

October 14, 2025

Cybersecurity has become one of the most pressing challenges for cities, where limited budgets and resources often collide with increasingly sophisticated threats. At the League of Minnesota Cities Insurance Trust, Cybersecurity Loss Control Consultant Christian Torkelson helps local governments navigate this complex landscape.

With a unique background as both a former city council member and an IT professional specializing in cybersecurity, Torkelson brings practical experience and a deep appreciation for public service to his work with Minnesota cities. In this Q&A, he shares insights on his professional journey, the most common risks facing cities today, and strategies that can help local governments strengthen their defenses.

Please describe your professional journey and what inspired you to focus on cybersecurity, especially within local government.

In one half of my life, I have been dedicated to public service, and I had the opportunity to serve as a city council member for my own city, Little Canada, where I did two terms. The other half is my professional work life where I have been involved in IT and cybersecurity since 2008.

I started in IT as a self-taught kid with a passion for technology. I started working in IT prior to earning any sort of degree in the field and got my start working at the helpdesk level, helping folks with everyday computer problems. As my skills and expertise grew, I developed a specialization in cybersecurity.

How did your previous role as a council member shape your approach as a cybersecurity consultant?

 I think that experience gives me a few key insights. First is how a city government operates. I think that’s not obvious to a lot of folks who are in private sector cybersecurity. Having a better understanding of the needs and the types of problems that local governments struggle with makes it possible to better tailor my advice to cities on the cybersecurity front.

Second, I think it helps to be ideologically aligned in the sense that public service is important to me, because every day I’m working with folks who also have a core value of public service.

Lastly, I think the thing that’s central to my flavor of supporting cities is a sense of developed concern for the taxpayer and an appreciation for the resource constraints cities struggle with. As a former city council member, making the decision to appropriate funds and collect it from residents hit me harder once I was in a position to vote on those things. Knowing we need to collect tax dollars to pay for services or technology is one thing, but when you are in the position of actually voting for it and you know that you’re collecting money from the elderly neighbor down the street who’s on a fixed income, I think that hits you a little different than from the outside looking in.

There are a lot of good options for cybersecurity tools and technology that cities could buy or implement. But sometimes they’re not the right fit for a city that doesn’t have built-in IT expertise or in-house support. Helping them navigate the conversation of What can I afford versus What do I really need? and What do I have the capability of using? is a central part of the conversation that I bring to the table. This pattern of thinking has carried on into my professional expertise as a lost control consultant, because I don’t want to tell a city to spend their way out of a problem.

I think that’s helpful advice, you can’t spend your way out of a cybersecurity problem.

There are a lot of great products out in the technology and IT and cybersecurity landscape, but it’s a lot like how it wouldn’t make sense to go buy a Ferrari and give it to a new driver who just got their license. You know it might be the best car; it might be the fastest, the sleekest, the best performing option, but that doesn’t mean it’s the right option for you. I want to help cities find that sweet spot and figure out what is going to work for them and what they can leverage and take advantage of.

What types of cybersecurity support and guidance do you typically provide our members?

As we have already covered, I can help people decide what they might need to invest in, and what they don’t need to invest in.

Beyond that, I think what I most like to do is to provide training for city staff on cybersecurity topics. I can provide generalized cybersecurity awareness training, or we can do specialized topics on request.

Another popular service is guidance and support for incident planning, which cities can use to create business continuity, disaster recovery, or incident response plans. Pre-planning for a cybersecurity incident is critically important. We want them to take our templates, use them, or modify them to suit their organization.

How often are you out in the field visiting cities?

I vastly prefer in-person meetings over remote meetings. I feel like getting a face-to-face relationship with someone really helps. Cybersecurity can be intimidating and stressful for people. When I’m there in person, I think people feel calmer, more at ease. Meeting in person allows me to figure out who it is I’m working with and what their needs are. When you have that type of in-person connection, it really eases future interactions and makes members more likely to reach out and say, ‘Hey, I remember meeting Christian at my city hall. I can reach out to him again.’

I try to get out to visit cities at least three times a week. One struggle is getting cities to commit time to meet on this topic. Staff at cities are extraordinarily busy, and finding time to dig into this very deep topic is a challenge. I think it can sometimes be easier to put it off, especially if the city has not yet experienced a cyber incident.

What are the most frequent cybersecurity issues or concerns affecting Minnesota Cities?

I’ve done a lot of analysis of our insurance claims data and can break down most things into three common types of cybersecurity incidents.

The first is what I like to call business e-mail compromise – essentially, when their e-mail account gets hacked.

Second, wire fraud or fraudulent instruction, which is where city staff are convinced to change payment information from the legitimate recipient to the accounts of the threat actor.

The third type of incident we see is ransomware. That’s where malicious software gets installed on a city computer and encrypts all the data that it can access, ultimately demanding payment to restore it.

Christian Torkelson presents behind a podium at the 2024 Fall Loss Control workshops

How do incident planning templates help cities prepare for cyber incidents?

I think the first part of incident preparation and planning templates is just thinking through what public services and business functions your city offers. Some services are more consequential than others – or at least more urgent from a timeliness perspective than others. Most cities don’t have the time to create response plans for every possible service and scenario. Instead, they should consolidate that effort into the critical services and functions that they offer.

Then we get into a deeper level of analysis about what data the city has, where it exists, and what technology systems they have. All of this is important information to have in advance, because when you get to a cybersecurity incident, you will need to answer these questions on the fly.

I often ask city staff, “Would you rather find out those answers now when you get the benefit of pre-planning? Or do you want to have to do it during pressure cooker of a cyber incident when you are under pressure, stressed, and paying an expert consultant $500 or more per hour to help you do this work?”

From my perspective, the analysis that these templates ask you to do upfront really results in time savings and clarity when you ultimately find yourself in a cybersecurity incident.

What role do interactive elements—like scenarios, videos, or knowledge checks—play in helping learners retain cybersecurity best practices?

Research on cybersecurity training and its efficacy are mixed. The industry is still experimenting to find the best methods for training general computer users on technical topics. We see evidence in other fields of study that repetition and practice really matter. That’s why we recommend recurring training and frequent phishing simulation testing.

Members can take advantage of free, in-person training and our free online MemberLearn courses. And I would say, why not do both? We know from a learning perspective that it helps to share the same message in multiple ways, multiple times. If I were a city administrator, I would strive to incorporate both training types.

In your view, what’s the most overlooked policy or security practice that local governments should prioritize?

Cities have a wide spectrum of maturity or development on the cybersecurity front, so it’s hard to recommend a specific, technical control. I think from an administrative perspective, there has been this tendency to over-delegate cybersecurity to IT staff or vendors. This topic is as much about organizational goals and priorities as it is technical systems, software, and computers. Getting management engagement and buy-in really drives downstream enhancements to technical and cybersecurity maturity.

Have you seen an improvement in cities and administrative staff prioritizing cybersecurity in your tenure with the League?

LMC has been active on this topic for much longer than my personal tenure with the League. Greg Van Wormer and Mel Reeder have provided leadership and educational content on this topic to our members for years.

Despite this, I think we still see many of the same problems we did a decade ago. Measuring why this is occurring is hard. Increasing claims could be mostly tied to the growing utilization of technology and the proliferation of digital data in Minnesota Cities, which has greatly expanded in the past decade. In spite our efforts to educate members, the sheer pace of change within our member base is keeping our claims on an upward trajectory.

But if we look at it through the lens of my own personal experience, I do feel like there seems to be greater awareness. Inquiries and requests for LMC cybersecurity services are increasing. This makes me hopeful that we are moving in the right direction.

More work can always be done. I notice a pattern that when one city has a public cybersecurity incident, that results in an uptick of interest around the topic. I wish that the interest wouldn’t be so cyclical and tied to what we see in the news and instead remain steady and tied to a holistic understanding of cybersecurity risks.

What security strategies have you found most effective in small for resource-constrained cities?

We recently put together a one-pager dedicated to this topic entitled the ABCs of Cybersecurity. This resource is focused on helping small city audiences and city clerks prioritize which technical and administrative controls they should implement. I highly recommend League staff become familiar with some of our high-level recommendations.

How do you advocate for a culture where staff feel safe reporting suspicious emails or transactions even if they’ve made a mistake/fallen for a phishing scheme?

In my trainings we talk about human nature and how it’s easy to inadvertently click on something you shouldn’t or enter your credentials on a page that’s illegitimate. These are problems that affect all of us – even the most seasoned cybersecurity experts, from time to time.

Everyone has the potential of falling victim to these types of scenarios. I think the reality is that it’s not a reflection of your intelligence or competency. It’s really a reflection of how busy you are and how fast you’re trying to get things done.

As for reporting, there are legal, ethical, and career motivations for being diligent on this front. There should be an interest in reporting a cybersecurity incident borne out of concern for potential data subjects whose data might be compromised. Furthermore, state laws require cities report cybersecurity incidents to the state within a defined timeframe.

In my whole career, I have never seen anyone punitively punished for proactively alerting their IT team or leadership of something that occurred – especially if they moved on that report quickly. Where things become challenging and problematic for staff is when they sit on things or they don’t say anything about a cyber incident that occurred. Acting fast on suspicious activity is of critical importance because it can help minimize further compromises of systems or data.