Survey of U.S. State CISOs on Cybersecurity Finds Several Positive Trends

Over the past several years, state CISOs throughout the U.S. have grown much stronger and more powerful as they accelerated digital transformations and quickly transitioned government operations and services to a virtual environment. It’s recorded in the ‘State Cybersecurity in a Heightened Risk Environment,’ a 2022 Cybersecurity Study from Deloitte and the National Association of State Chief Information Officers (NASCIO).

Despite the difficulties brought on by a worldwide epidemic, state agencies were able to go on offering their citizens high-quality service because to the committed efforts of these CISOs.

“The complexity of cyber challenges that the U.S. state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders,” said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte’s global risk advisory leader for government and public services. “To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent.”

Srini Subramanian, principal, Deloitte & Touche LLP
“The complexity of cyber challenges that the U.S. state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders,” said Srini Subramanian, principal, Deloitte & Touche LLP.

Emerging technologies provide fresh opportunities for CISOs, according to the Deloitte/NASCIO report. CISOs would have an even more crucial role to play in directing the assessment and adoption of new technologies in the post-pandemic digital environment.

U.S. state CISOs attest to the widespread migration of applications to the cloud. With the rise of remote work, digital and mobile platforms have permeated many aspects of everyday life, including employment, communication, and commerce.

In order to provide digital IDs for citizen services, states have made significant progress. U.S. states may further advance digital transformation in service of their objectives and citizens thanks to capabilities like cloud computing, AI, and robotic process automation.

Other key takeaways from the 2022 Deloitte/NASCIO survey include:

  • From 2021 to 2022, thirty states boosted their funding for cybersecurity. For the first time, U.S. state CISOs say that a few states are, in line with federal government levels, investing more than 10% of their IT expenditures on cybersecurity. The majority of states still barely devote 2% to 10% of their resources to cybersecurity initiatives.
  • The creation and adoption of the Zero Trust framework was cited as a crucial move by several state CISOs.
  • Malware, ransomware, and phishing efforts, according to U.S. state CISOs, continue to be security issues. The perceived danger from outside parties and social engineering has decreased, while concern among CISOs about foreign state-sponsored espionage has increased dramatically.
  • The three largest contributors to cyber events, according to CISOs, are still harmful code, online apps, and financial fraud. However, CISOs have noticed an increase in cyber events including assaults on cloud platforms, zero-day vulnerabilities, and foreign state-sponsored espionage.
  • Nearly one-third of U.S. state CISOs claim that instead of collaborating with a centralized state IT security organization, state agencies handle cyber events on their own.
  • U.S. states are showing growing interest in outsourcing particular cybersecurity operations to managed service providers, and CISOs are hiring more cybersecurity experts on a contract basis. In fact, more than half of CISOs say they outsource the 24×7 monitoring-required responsibilities of the security operations center, and more than 60% of CISOs say they have faith in the cybersecurity services of outside suppliers.
  • State CISOs are beginning to implement diversity, equity, and inclusion (DEI) policies, such as creating DEI leadership roles or teams to promote an inclusive culture. Many CISOs, however, claim they are unsure if such procedures are in place.

– story continues below the photo –

Deloitte booth

Tighter Collaboration

A closer partnership between local governments and state higher education institutions is necessary to ensure greater security for the entire state, according to the Deloitte/NASCIO survey report. The status and visibility of CISOs have significantly improved at the state executive and legislative levels, and they are still receiving the institutional support and resources they require.

  • CISOs are now employed by all 50 states, and many are also creating new chief privacy officers, chief risk officers, and identity program directors jobs
  • More state lawmakers are financing and formalizing the CISO post in state law. Additionally, they are incorporating organizational risk management frameworks, cybersecurity legislative councils, and cybersecurity training into state legislation
  • The governor, legislature, and agency secretaries are increasingly required by more states to receive monthly reports from CISOs
  • The goal of CISOs is to create and implement a shared security services model that will allow local governments and public higher education institutions to be protected on a state-wide scale.

“State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year’s survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies,” said Meredith Ward, director of policy and research at NASCIO and a co-author of the 2022 Deloitte/NASCIO Cybersecurity Study. “We’re proud to again bring the perspectives of state CISOs to the forefront of conversations around cybersecurity.”