2018 Deloitte-NASCIO Cybersecurity Study: Top Challenges Persist Since 2010, Calls for Bold Changes

Funding, talent and increase of threats continue as top issues impacting states’ cybersecurity risk, “Now is the time to disrupt the status quo” says report

SAN DIEGO, Calif., Tuesday, October 23 — Even as state government Chief Information Security Officers (CISOs) have increased their access to and communications with top leaders, the top three issues impacting states’ cybersecurity remain the same from past surveys – budget, talent and increasing cyber threats. These findings from the “2018 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study” are a call for bold action to disrupt the status quo, according to the report authors.

“We’ve been surveying state CISOs every other year since 2010 and these top three issues have not changed,” said Bo Reese, NASCIO president and chief information officer (CIO), state of Oklahoma. “The reality is that the magnitude of threats is rarely matched in attention and funding in state government. Simply put, the time is now to be bold in state cybersecurity.”

“While CISOs and CIOs have done a tremendous job over the years developing much needed governance plans and building relationships with state leaders, the funding and talent needed to fully address cyber risk is not there,” said Srini Subramanian, principal, Deloitte & Touche LLP, and state and local government risk advisory leader. “The three bold plays outlined in this year’s report provide state CISOs and CIOs additional ideas on ways to get more funding and overcome cybersecurity talent challenge.”

The three bold steps state CISOs can take to overcome persistent challenges:

1)    Advocate for dedicated cybersecurity program funding.

Nearly half of all US states do not have a dedicated cybersecurity budget and data from this year’s survey shows slower cybersecurity budget growth compared to 2016. In fact, most states still spend less than 3 percent of their information technology budget on cybersecurity.

Additionally, CISOs can also push for funding from federal agencies to implement the federal security requirements and controls. For example, state health and human services (HHS) agencies were able to secure funding from Centers for Medicare and Medicaid Services (CMS) to establish CMS’s suggested Minimum Acceptable Risk Safeguards.

2)    Be an enabler of innovation, not a barrier.

In this year’s survey, emerging technology initiatives in areas such as artificial intelligence, smart enterprises (smart cities), and blockchain technology rank at the bottom of the CISO initiative list, indicating that they may not yet be a priority for CISOs. To take on emerging technologies, CISOs should actively participate with state CIOs in shaping the innovation agenda, collaborate with state digital and innovation officers and lead the charge to help program leaders embrace and securely adopt new technologies.

3)    Team with the private sector and higher education.

This year’s survey results show that states’ cybersecurity teams remain small with an increase in the talent gap. More than half of CISOs have 15 or less full-time-equivalent employees.

To address the talent gap, CISOs can: increase their use of teaming with private sector with services level for select cybersecurity functions; form partnerships with local colleges and universities; and establish a network among state and local agencies, academia; and companies to share threat information, capabilities and contracts.

In addition to the top-three concerns outlined by CISOs, there are a number of emerging trends getting CISOs’ attention, including: election security, cloud and outsourced data center security.

Other noteworthy trends in this year’s report include:

  • One-fifth of state respondents say they report monthly to the governor, and a third report monthly to the state secretary or deputy secretary. Monthly reporting to business stakeholders has also increased to 25 percent in 2018 from 10 percent in 2016.
  • Forty states now have documented and approved governance plans (up from 29 in 2016).
  • Sixty-one percent of respondents indicate that their cybersecurity staff has gaps in competencies; 94 percent of states indicate that salary is the biggest barrier to attract and retain cybersecurity talent.
  • Awareness training for state employees and contractors is now an established practice in 94 percent of states, compared to 84 percent in 2016.

To read the full study visit, www.nascio.org/stateofcyber.

About the survey

This survey is based on responses from US state enterprise-level CISOs with additional input from agency CISOs and security staff members within state governments.

CISO participants answered 56 questions designed to characterize the enterprise-level strategy, governance and operation of security programs. Representatives from all 50 states responded to this year’s survey. The report was produced by Deloitte’s Center for Government Insights and NASCIO.