2016 Deloitte-NASCIO Cybersecurity Survey: Cyber Getting Governor Attention; Budget and Talent Challenges Remain

Despite increased executive awareness of cybersecurity, challenges continue

Survey finds a formal strategy, better communications are needed to develop greater command of resources

ORLANDO, Fla., Sept. 20, 2016 — Challenges still exist, but cybersecurity is becoming part of the fabric of government operations, according to the recently-released “2016 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study.” Despite an increase in the governor-level awareness of cybersecurity, the most significant challenge for state chief information security officers (CISOs) in 2016 remains a lack of sufficient funding. Most states’ cybersecurity budgets are hovering between zero and 2 percent of their overall information technology budget.

“There continues to be challenges with proper funding and finding qualified talent, but the good news is that we are seeing positive indications that state CISOs and CIOs are having an impact as communication and collaboration among government is increasing,” said Darryl Ackley, NASCIO president and cabinet secretary and CIO for the New Mexico Department of Information Technology.

“The survey results spell out a clear message for CISOs: State leaders are paying attention. Take advantage of this focus to make substantial progress,” said Srini Subramanian, principal, Deloitte & Touche LLP, and state government cyber risk services leader. “Those CISOs who are able to harness this attention and build stronger relationships with business executives and state legislators have an opportunity to garner more resources and support for their initiatives.”

Subramanian continued, “For the first time, all respondents report having an enterprise-level CISO position. The CISO role itself has become more consistent in terms of functions and responsibilities. CISOs are also focusing their energies more on what they can control.”

Key takeaways from the 2016 survey:

  • Governor-level awareness is on the rise. The survey results indicate that governors and other state officials are receiving more frequent updates from CIOs/CISOs. Despite an increase of reporting, a confidence gap still exists between IT and the business, emphasizing the need for better communication of cyber risks.
  • Cybersecurity is becoming part of the fabric of government operations. The state government CISO role has become more consistent in terms of functions and responsibilities. Top three cybersecurity initiatives in 2016 include training and awareness, monitoring/security operations centers, and strategy.
  • A formal cybersecurity strategy and better communications lead to greater command of resources. States taking a proactive approach to strategy setting and communication are more likely to see improvements in funding and access to talent. Survey shows 16 out of 33 states with an approved strategy reported they had an increase in budget.
  • There is a need to rethink talent strategies. The nature of what states have to offer workers has changed. States are pointing to job stability and the opportunity to “give back and make an impact” as compelling reasons to consider state employment. These — along with a rich training and development — are becoming the basis to recruit millennial talent.

To read the survey, visit www.NASCIO.org/stateofcyber.

About Deloitte

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including 80 percent of the Fortune 500 companies and 47 US states. Our people work across more than 20 industry sectors to deliver measurable and lasting results that help reinforce public trust in our capital markets and inspire clients to make their most challenging business decisions with confidence. Deloitte’s Center for Government Insights produces groundbreaking research to help government solve its most complex problems. Deloitte’s Secure.Vigilant.Resilient.TM cyber risk programs focus on aligning security investments with risk priorities, establishing improved threat awareness and visibility, and strengthening the ability of organizations to thrive in the face of cyber incidents. http://www.deloitte.com/us/state


The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. For more information about NASCIO visit www.nascio.org.

As used in this document, “Deloitte” means Deloitte & Touche LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.


Megan Doern
Public Relations

[email protected]

Lori Rempe
Membership and Communication Coordinator
[email protected]