A new survey of state chief information and security officers finds them better prepared to protect their networks from cyberattacks than four years earlier, but still worried about limited staff and resources (Bill Hinton/Getty Images).
Many state chief information and security officers say they don’t have the budget, resources, staff or expertise to feel fully confident in their ability to guard their government networks against cyber attacks, according to a new Deloitte & Touche survey of officials in all 50 states and D.C.
“The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself,” said Srini Subramanian, principal of Deloitte & Touche LLP and the company’s global government and public services consulting leader. “And CISOs have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.”
The biennial cybersecurity report, released today, outlined where new threats are coming from, and what vulnerabilities these teams have.
Governments are relying more on servers to store information, or transmit it through the Internet of Things, or connected sensor devices. Infrastructure for systems like transit and power is also heavily reliant on technology, and all of the connected online systems create more opportunities for attack.
The emergence of AI is also creating new ways for bad actors to exploit vulnerabilities, as it makes phishing scams and audio and visual deep fakes easier.
Deloitte found encouraging data that showed the role of state chief information and security officer has been prioritized in every state’s government tech team, and that statutes and legislation have been introduced in some states which give CISOs more authority.
In recent years, CISOs have taken on the vast majority of security management and operations, strategy, governance, risk management and incident response for their state, the report said.
But despite the growing weight on these roles, some of the CISOs surveyed said they do not have the resources needed to feel confident in their team’s ability to handle old and new cybersecurity threats.
Nearly 40% said they don’t have enough funds for projects that comply with regulatory or legal requirements, and nearly half said they don’t know what percent of their state’s IT budget is for cybersecurity.
Talent was another issue, with about half of CISOs saying they lacked cybersecurity staffing, and 31% saying there was an “inadequate availability” of professionals to complete these jobs. The survey does show that CISOs reported better staff competencies in 2024 compared to 2020, though.
Staffing of CISOs themselves, due to burnout, has been an increasing issue since the pandemic, the report found. Since the 2022 survey, Deloitte noted that nearly half of all states have had turnover in their chief security officers, and the median tenure is now 23 months, down from 30 months in the last survey.
When it came to generative AI, CISOs seemed to see both the opportunities and risks. Respondents listed generative AI as one of the newest threats to cybersecurity, with 71% saying they believe it poses a “high” threat; 41% of respondents said they don’t have confidence in their team to be able to handle them.
While they believe AI is a threat, many teams also reported using the technology to improve their security operations. Twenty one states are already using some form of AI, and 22 states will likely begin using it in the next year. As with with state legislation around AI, it’s being looked at on a case-by-case basis.
One CISO said in the report their team is “in discovery phase with an executive order to study the impact of gen AI on security in our state” while another said they have “established a committee that is reviewing use cases, policies, procedures, and best practices for gen AI.”
CISOs face these budgetary and talent restrictions while they aim to take on new threats and secure aging technology systems that leave them vulnerable.
The report laid out some tactics tech departments could use to navigate these challenges, including leaning on government partners, working creatively to boost budgets, diversifying their talent pipeline, continuing the AI policy conversations and promoting the CISOs role in digital transformation of government operations.