The 2024 edition of the biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO) found 86% of state chief information security officers (CISOs) say their responsibilities are growing, yet more than one-third do not have a dedicated cybersecurity budget. Four of the 51 state CISOs surveyed said their state IT budgets allocate less than 1% for cybersecurity.
“The ability of government to deliver on its mission depends on data – and on the security of that data,” said Srini Subramanian, principal, Deloitte & Touche LLP and Deloitte’s global government and public services consulting leader. “The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself, and CISOs have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.”
Despite the growing importance of cybersecurity, many state CISOs indicated resources aren’t keeping pace with the growing sophistication of threats. Federal agencies generally earmark more than 10% of their IT budgets for cybersecurity, yet many states have not dedicated resources at the same pace.
The 2024 biennial Deloitte-NASCIO report surveyed state CISOs from all 50 states and the District of Columbia. The emergence of generative artificial intelligence (GenAI) – and its potential benefits and risks – was top of mind for many state technology leaders. Nearly three-quarters of respondents (71%) believe the risk of AI-enabled threats is “high.” However, 41% lack confidence in their team’s ability to handle them.
Legacy systems with outdated technology, particularly in public infrastructure such as transportation, water and power, are specific areas of concern.
While acknowledging the potential threat of AI, state CISOs are increasingly turning to AI and GenAI tools to shore up their cybersecurity capabilities. A total of 21 said they are already using GenAI to improve security operations, while another 22 plan to adopt GenAI within the next 12 months.
“The good news is many state CISOs have been able to increase employee headcounts, adding specialists to their teams who are focused on cybersecurity-related issues,” said Meredith Ward, deputy executive director at NASCIO and a co-author of the 2024 Deloitte-NASCIO report. “In 2020, 16% of CISOs had fewer than five employees dedicated to cybersecurity initiatives. Today, that percentage has dropped to just 4%. In addition to growing their teams, our research found these leaders are determined to find creative solutions to protect their organizations and the public.”
Nearly every state CISO reported they are involved with developing state GenAI strategy and security policy; only two did not.
Cyber threats will continue to evolve in scale and complexity, making collaboration among state CISOs, their stakeholders and government partners more important than ever.
Since 2010, Deloitte and NASCIO have conducted biennial surveys of state CISOs to provide state leaders with an update on the cybersecurity threat landscape, as well as insights to help them protect the public’s data and secure their digital systems.