Growing Cyber Threats Challenge State CISOs Amidst Limited Resources, Latest Report Reveals

As the cyber landscape continues to evolve, state Chief Information Security Officers (CISOs) are increasingly challenged by growing AI-enabled threats while operating with limited resources, according to a new report from Deloitte and NASCIO.

Short Summary:

• 86% of state CISOs report increased responsibilities, yet over one-third lack a dedicated cybersecurity budget.
• 71% perceive a high risk of AI-enabled cyber threats; however, 41% doubt their ability to manage such risks effectively.
• The need for expanded funding and staff training is critical as only 25% of CISOs allocate budget for generative AI security controls.

In the ever-evolving world of cybersecurity, state Chief Information Security Officers (CISOs) are confronting heightened risks linked to artificial intelligence (AI) while struggling with inadequate resources and budgets. The 2024 Deloitte and National Association of Chief Information Officers (NASCIO) report highlights that a significant majority (86%) of state CISOs have noted a spike in their responsibilities. Alarmingly, over one-third of those surveyed revealed they do not have a dedicated budget for cybersecurity, which is critical to safeguarding their data and systems.

“The ability of government to deliver on its mission depends on data – and on the security of that data,” stated Srini Subramanian, principal at Deloitte & Touche LLP. He placed emphasis on the expanded attack surfaces resulting from state governments’ growing dependency on information, pointing out that the reliance on technology poses more significant challenges for CISOs. Achieving a resilient infrastructure that can fend off the advancements in cyber threats has become imperative.

Although state governments have not allocated cybersecurity resources at the same rate as federal agencies (where cybersecurity budgets usually exceed 10%), the report indicates that many CISOs are turning to innovative measures to enhance their security frameworks. During this survey, which included insights from 51 state CISOs, it was discovered that the looming threat of AI has left many state leaders apprehensive. Approximately 71% confirmed that the risk associated with AI-enabled threats is high; yet, an alarming 41% expressed a lack of confidence in their teams’ capability to address such issues effectively.

At the heart of these challenges lie aging technological infrastructures, particularly in crucial public sectors such as transportation, water, and power services. With over one-third of the respondents indicating concerns about these legacy systems, the urgency to transition to updated technologies becomes clear. Despite acknowledging these threats posed by AI, the trend shows state CISOs are increasingly leveraging AI tools to bolster their security operations. Around 21 CISOs reported they are currently utilizing generative AI technologies for improving security measures, while another 22 stated they are poised to implement such systems in the next 12 months.

“The good news is many state CISOs have been able to increase employee headcounts, adding specialists to their teams who are focused on cybersecurity-related issues,” remarked Meredith Ward, deputy executive director at NASCIO and co-author of the 2024 report. “In 2020, 16% of CISOs had fewer than five employees dedicated to cybersecurity initiatives. Today, that percentage has dropped to just 4%.”

Each state CISO reported being actively involved in shaping statewide strategy and security policy, with only two exceptions noted in the report. However, the report also reveals that state CISOs are increasingly feeling the pressure, evident in their decreasing tenure—now averaging just 23 months compared to 30 months a few years ago. This reduced duration is indicative of the extensive list of responsibilities that CISOs must now shoulder, encompassing data privacy in critical infrastructure, navigating the integration of generative AI technologies, and orchestrating incident response plans amid rising cyberattack incidents.

In light of their increasing roles and contracting tenures, the report stresses the necessity for states to enhance cybersecurity funding. Greater involvement from these leaders in policy formulation related to data security is critical, as is establishing robust succession plans to avert disruptions in essential IT security projects due to turnover. As CISO Ken Weeks of New Hampshire articulated, “I’m not so sure that most Civil Service systems in the various states even make succession planning possible.”

The shifting landscape is compelling state governments to adapt to new cybersecurity threats, with the issue of “big game hunting”—where cybercriminals target high-value entities for lucrative payouts—gaining traction across the political landscape. The evolving capabilities of generative AI can thwart legacy defenses, escalating the urgency for CISOs to reassess their strategies. Moreover, it amplifies conventional threats such as phishing scams and manipulative deepfake technologies aimed at exploiting sensitive data.

However, amidst these challenges, state CISOs are encouraged by emerging practices allowing for collaboration to build stronger cybersecurity frameworks. Various states have established task forces and specialized offices to delineate governances concerning generative AI usage in state operations. Yet, the report highlights that only 25% of CISOs are currently allocating budget for governance related to generative AI security controls.

Understanding the cybersecurity landscape also brings forward the significance of employee training and support in preventing breaches. The report outlines that close to 40% of PCSO participants concluded that their cybersecurity practices fail to sufficiently protect government and citizen data. With the average cost of recovering from ransomware attacks skyrocketing to $2.83 million in 2024—doubled from the previous year—states must implement rigorous preparedness measures.

In tandem with internal challenges, CISOs face immense pressure to attract and retain cybersecurity talent. Around half of the respondents in the NASCIO survey noted staffing issues, echoing the broader difficulties public sector organizations face in matching the competitive compensation often offered in the private sector. Creative approaches, including ongoing training and education programs, have become crucial to reinforce the existing workforce’s readiness against cybersecurity threats.

“The attack surface is expanding, with the public sector’s reliance on information becoming increasingly central to the operation of government itself,” the report noted, highlighting how data’s security is integral to fulfilling governmental missions. In conclusion, the growing convergence of technology and the urgency to safeguard data necessitates that state CISOs amplify their efforts significantly, seeking new funding sources while advocating for policy transformations to strengthen their cybersecurity frameworks. Insights from the NASCIO provide a clear roadmap for navigating these upcoming challenges, underpinning the need for collaboration, training, and increased budgets as paramount for effective cybersecurity protection.

Looking Ahead

The path forward will require resilience, adaptability, and a proactive stance as CISOs work to build a more fortified cybersecurity landscape. With the continued evolution of threats, leveraging technology and fostering a culture of continuous learning will be crucial in the battle against cyber adversaries.