Cybersecurity Survey of State CISOs Identifies Many Positive Trends

While talent challenges overshadow budgetary concerns, and whole-of-government efforts accelerate

LOUISVILLE, Ky., Oct. 11, 2022 — The National Association of State Chief Information Officers (NASCIO) and Deloitte today released their 2022 Cybersecurity Study, “State Cybersecurity in a Heightened Risk Environment.” The survey captures responses from chief information security officers (CISOs) in all 50 states and three territories about current cybersecurity trends, challenges and opportunities.

The survey found that state CISOs throughout the U.S. gained considerable strength and authority over the past few years, as they rapidly migrated government operations and services to a virtual environment and expedited digital transformations to meet the immediate needs of individuals and families. Due to the dedicated efforts of these CISOs, state agencies were able to continue providing high-quality service to their constituents, despite the challenges imposed by a global pandemic.

Additional highlights from the 2022 Deloitte/NASCIO survey include:

  • Addressing the talent gap: In 2022, the demand for high-skilled workers has grown even more acute for public and private sector employers. In this environment, the lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
    • Despite CISOs’ growing responsibilities and the increasing sophistication of both technology and threats, headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 6 in 10 CISOs report gaps in competencies among their staffs.
  • Embracing the entire state: It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions. CISOs made significant progress in enhancing their stature and visibility at the state executive and legislative levels, and they are continuing to get the institutional support and resources they need.
    • All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
    • More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
    • More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
    • CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
  • Emerging technologies present new opportunities: In the post-pandemic digital landscape, CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
    • State CISOs confirm that many applications have migrated to the cloud. With remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate and transact.
    • States have taken a big step forward to provide digital identities for citizen services. Capabilities, such as cloud computing, artificial intelligence and robotic process automation, enable states to further enhance digital modernization in service of their missions and constituents.

“State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year’s survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies,” said Meredith Ward, director of policy and research at NASCIO and a co-author of the 2022 Deloitte-NASCIO Cybersecurity Study. “We’re proud to again bring the perspectives of state CISOs to the forefront of conversations around cybersecurity.”

“The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders,” said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte’s global risk advisory leader for government and public services. “To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent.”

Additional takeaways from the 2022 Deloitte-NASCIO survey include:

  • Thirty states increased their cybersecurity budgets from 2021 to 2022. And for the first time, CISOs report that a handful of states are allocating more than 10% of their IT budgets to cybersecurity, in alignment with federal government levels. However, most states still only allocate between 2% and 10% of their budgets to cybersecurity efforts.
  • Many state CISOs identified the drafting and implementation of the Zero Trust framework as a key initiative.
  • CISOs say that malware, ransomware and phishing attempts continue to present security challenges. Concern among CISOs about foreign state-sponsored espionage has also risen significantly, while the perceived threat from third parties and social engineering has declined.
  • CISOs found that the three leading causes of cyber incidents remain web applications, malicious code and financial fraud. However, CISOs note a rise in cyber incidents involving foreign state-sponsored espionage, zero-day attacks and attacks against cloud platforms.
  • Nearly one-third of state CISOs say that state agencies manage cyber incidents on their own, rather than working with a central state IT security group.
  • CISOs are increasingly contracting cybersecurity professionals and states are demonstrating more interest in outsourcing specific cybersecurity functions to managed service providers. In fact, more than half of CISOs report outsourcing security operations center tasks, which require 24×7 monitoring, and more than 60% of CISOs report having confidence in the cybersecurity services of third-party vendors.
  • State CISOs are starting to incorporate diversity, equity and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. However, many CISOs say they do not know if they have such practices in place.

NASCIO Contact

Meredith Ward
Director of Policy and Research
National Association of State Chief Information Officers
[email protected]