Insufficient funding, sophisticated threats, and shortage of skilled talent threaten security and put state governments at risk: Deloitte/NASCIO Survey

Survey signals call to CISOs, CIOs and business leaders to collaborate and move forward

Nashville, TN October 1 — Although nearly one-half (48 percent) of all state chief information security officers (CISOs) reported incremental increases to cyber security budgets, insufficient funding remains the leading barrier to battling cyber threats, according to the 2014 Deloitte-National Association of State Chief Information Officers (NASCIO) cybersecurity study, released today.

The third biennial Deloitte-NASCIO survey of CISOs and their equivalents also reveals an increasing sophistication of cyber threats and inadequate availability of cyber security resources as other top barriers to achieving adequate cyber security measures within state governments.

Three-quarters (75 percent) of the respondents cited lack of sufficient funding as their top barrier and 46 percent estimated security budget to be only between 1 and 2 percentage of the overall technology budget. Approximately 6 in 10 (61 percent) CISOs cited an increase in sophistication of threats, up from roughly half (52 percent) in 2012. The number citing a shortage of qualified cybersecurity professionals jumped from 46 percent in 2012 to 59 percent in 2014.

“State CISOs and CIOs are dealing with a myriad of complex issues related to cybersecurity – budget, increasing threat sophistication, talent and stakeholder communication” said Srini Subramanian, principal and leader of Deloitte & Touche LLP’s Risk Services practice to state governments. “The role of the CISO itself has matured and expanded – they are charged to do a lot, with inadequate resources.”

Ironically, another challenge cited in the report is a continued discrepancy in the confidence levels of CISOs and state officials. An accompanying survey of state business officials found that 60 percent had high levels of confidence in states’ ability to protect and defend against external cyber threats. Only one-quarter (25 percent) of state CISOs expressed a similar level of confidence.

“State business leaders need to be better informed regarding the gravity of the situation, and we believe that this gap significantly undermines a CISO’s ability to gain funding and support for cybersecurity programs. Communicating the cybersecurity risks and potential impact to the business and elected state leaders will likely help elevate the issue,” Subramanian noted. “But despite continuing challenges, CISOs are standardizing security practices, launching broad-based awareness campaigns, and looking for ways to attract the right talent to join them in their fight against cyber threats and protecting states’ critical infrastructure.”

Overwhelmingly, 9 in 10 (90 percent) CISOs point to the salary and pay grade structures states offer as one of the most substantial barriers to attracting and retaining skilled cybersecurity professionals. State cybersecurity professionals are also leaving for private sector careers (71 percent) and more than two-thirds (67 percent) cite lack of defined cybersecurity career paths and opportunities at the state-level.

“The survey provides a sobering assessment of continuing challenges of budget, talent and evolving nature of cyber threats,” said Doug Robinson, chair of NASCIO. “A key challenge facing states is how to both focus on the immediate need of securing their ecosystems against imminent threat while maturing their cybersecurity program that covers protection, early detection/containment and ability to bounce back from incidents.”

Key findings of the 2014 Deloitte-NASCIO Cybersecurity Study include:

• Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.
• Continuing budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small – in the budgets. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs – it continues to be the top barrier for state CISOs. In addition, survey responses show that there may be additional barriers to implementing successful initiatives: namely the lack of well-thought-out and fully vetted cybersecurity strategy and priorities.
• Ongoing cyber battle, regulatory complexity, and the confidence gap: State information system house a wide range of sensitive citizen data, making them especially attractive targets for cyber-attacks. CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. They need to stay abreast of existing and developing threats to establish and maintain the security of an information environment that now increasingly extends from internal networks to the cloud and mobile devices. State officials however, are more confident than CISOs in the state’s safeguards against external cyber threats.
• Growing talent crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. Private sector opportunities and salaries are traditionally better that those offered by government. Not surprisingly, state CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career paths and find creative ways to build their cybersecurity teams. Furthermore, as states turn to outsourcing and specialist staff augmentation as a means to bridge their cybersecurity talent gap, it’s imperative for CISOs to manage third-party risks effectively.

For a copy of the full report, “2014 Deloitte-NASCIO Cybersecurity Study,” please visit www.nascio.org/DeloitteNASCIO2014CybersecurityStudy/

About the Survey
Deloitte, in conjunction with NASCIO, conducted an online survey of CISOs and state officials in May of 2014. Survey respondents included CISOs or equivalents responsible for the security oversight of 49 states. Additionally, Deloitte surveyed 186 U.S. state business officials to gain states’ business stakeholder perspectives about how government enterprise views, formulates, implements, and maintains its security programs.

About NASCIO
The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. The primary state government members are senior officials who have executive level and statewide responsibility for information technology leadership. State officials who are involved in agency level information technology management may participate as state members. Representatives from other public sector and non-profit organizations may also participate as associate members. Private sector firms may join as corporate members and participate in the Corporate Leadership Council. For more information about NASCIO visit www.nascio.org.

About Deloitte’s Cyber Risk Services
Deloitte’s Cyber Risk Services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte’s more than 1600 practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive Secure.Vigilant.Resilient. Cyber risk programs that better align security investments with risk priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.

About Deloitte
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.