Third-party breaches and AI dominate state CISOs’ threat concerns

State CISOs face evolving challenges in 2024: The latest Deloitte-NASCIO Cybersecurity Study reveals that state Chief Information Security Officers (CISOs) are grappling with expanding responsibilities and emerging threats while contending with persistent workforce and funding issues.

• The average tenure of state CISOs has decreased from 2.5 years in 2022 to 1.9 years in 2024, with hiring for these positions often taking six months or more.
• Many CISOs now oversee privacy responsibilities, with 86% of states having CISOs handle privacy matters, up from 60% in 2022.
• The top cybersecurity threats identified by CISOs include security breaches involving third parties, AI-enabled attacks, and foreign state-sponsored espionage.

AI presents both challenges and opportunities: While CISOs express concern about AI-assisted cyber attacks, they also see potential in leveraging generative AI for their own security efforts.

• 71% of CISOs consider AI-assisted attacks a “very” or “somewhat” high threat.
• 41% of CISOs are currently using generative AI in their security work, with an additional 43% planning to implement it within the next 12 months.
• Most CISOs are involved in developing their state’s generative AI strategy and policy, although greater involvement in the procurement process is desired to ensure security is adequately addressed and funded.

Workforce challenges persist: Recruitment and retention of cybersecurity talent remain significant hurdles for state governments.

• Limited hiring budgets and lengthy hiring timelines continue to impede recruitment efforts, particularly for mid- and high-level positions.
• Only 47% of CISOs believe their workforce possesses all the necessary competencies.
• States are exploring various strategies to address workforce gaps, including succession planning, internship programs, and promoting movement between public and private sectors.

Reliance on third-party support grows: Many state CISOs are turning to outsourced services to supplement their in-house capabilities.

• 76% of CISOs use outsourced security operations centers with 24/7 monitoring.
• However, about a quarter of CISOs express low confidence in their business partners’, contractors’, and service providers’ cybersecurity practices.
• CISOs are also concerned about the cybersecurity posture of local governments and higher education institutions.

Budget constraints hamper cybersecurity efforts: With pandemic relief funds dwindling, CISOs are facing renewed financial pressures.

• Only 51% of CISOs report having adequate funding to meet legal and regulatory requirements, down from 58% in 2022.
• Nearly 40% of states lack a dedicated cybersecurity budget line item, instead funding it from the overall IT budget.
• While grant programs like the State and Local Cybersecurity Grant Program offer some assistance, CISOs emphasize the need for sustained, recurring funding to address ongoing cybersecurity threats effectively.

Looking ahead: The need for sustainable solutions: As state CISOs navigate an increasingly complex threat landscape, the call for more robust and consistent support grows louder.

• CISOs advocate for a reliable stream of recurring funding, similar to highway funds, to address the continuous nature of cybersecurity threats.
• Improved succession planning and workforce development strategies are needed to ensure continuity in leadership and skills within state cybersecurity teams.
• Greater collaboration between CISOs, procurement teams, and policymakers could lead to more comprehensive and effective cybersecurity strategies at the state level.