Foreword

Paving the path for cybersecurity in the postpandemic age

The seventh biennial Deloitte-NASCIO Cybersecurity Study arrives at a unique juncture for state chief information security officers (CISOs) and chief information officers (CIOs). Emerging from nearly three years of the COVID-19 pandemic, the landscape in which state CISOs operate has changed. While it may take years to know which transformations wrought by the pandemic will endure, we know that digitization has accelerated. The social distancing required by the health crisis made digital and mobile platforms the crux of work and daily life. This means that the future role of the state CISO is more important than ever, as new vulnerabilities and opportunities arise from greater use of these networks.

The 2022 survey was the result of robust participation by 50 states and three territories. At this pivotal moment, we find that the state CISO position has continued to gain strength and authority. As noted in the last biennial study, during the early days of the pandemic, CISOs performed the herculean task of migrating state government operations, services, and employees to a virtual environment nearly overnight. They enhanced safeguards such as multifactor identification, risk monitoring, and incident readiness to secure a remote workforce. As a result of these measures and the dedication of state employees, state agencies continued operating and providing services in the face of immense challenges.

Now, CISOs have a chance to build on that momentum to chart strategies for the postpandemic era. To meet the needs of an even more hyperconnected age, they must tackle some longstanding challenges, while laying the groundwork for the adoption of newer technologies on the horizon. From this year’s survey results, we identified three key takeaways critical to enhancing the CISO’s role in the future.

Dealing with the talent gap. Attracting, retaining, and continually training a cybersecurity workforce primed for the future has become more difficult. It is encouraging to see an increasing trend to effectively embrace the delivery of cyber services, but states must reposition state employment to compete effectively with private sector and federal employers for millennial and Generation Z workers whose workplace ideals differ from those of previous generations. For example, the ability to work remotely, in part or in full, is now a basic expectation.

Embracing the entire state. In the ongoing effort to fortify resilience across their states, CISOs must extend their leadership to all levels of government, including the local level. Due to the many interactions that take place between local and state agencies, local government presents a threat vector. CISOs should increase their cooperation with higher education institutions to act as a bridge between state and local government and to also create a pipeline of cybersecurity professionals to address the talent gap.

Setting a new course. The postpandemic world brings new challenges and opportunities. CISOs need to have the foresight both in terms of budgets and new technologies to keep pace with the expectations of the increasingly digitized environment.

We thank the 53 states and territories that participated in our detailed survey. We salute your dedication to safeguarding citizen data and to securing the business of your state.

Key takeaway 1: Dealing with the talent gap

Fighting cyberthreats requires ready forces

In 2022, the demand for high-skilled workers has grown even more acute for both public and private sector employers. Reassessing their life choices during the COVID-19 pandemic, many employees joined the Great Resignation, and millennial and Gen Z workers are more carefully choosing workplaces that reflect their preferences. In this environment, the lack of cybersecurity professionals and staff remains among the top five barriers that CISOs cite (figure 1). Despite CISOs’ growing responsibilities and the increasing sophistication of technology and threats, head counts for state cybersecurity professionals remain about the same as in 2020 (figure 2). In addition, over 60% of CISOs report gaps in competencies among their staff (figure 31).

States face heavy competition in hiring from the private sector and federal government. The private sector is combating the talent shortage by increasing pay, flexibility, and rapid career advancement to appeal to younger workers. Having lived through the experience of the pandemic, many no longer put work at the center of their lives. Though younger workers value the sense of purpose that government jobs offer, they are also demanding greater work/life balance, remote work and flexibility, and opportunities to maintain wellness.¹

Many millennial and Gen Z workers are also looking to be part of a diverse workforce with an inclusive culture. Indeed, research shows that diverse teams, with their varying perspectives, are more effective and productive.

States are not meeting many of the demands of this new generation of tech workers. The top factors with which CISOs attract and retain talent remain largely the same as in years past. They include the opportunity to serve the public, job stability, and a retirement plan (figure 3).

Only 25% of states reported using remote work as a talent-attraction tool (figure 4). This is somewhat surprisingly low, as CISOs have worked hard to ensure the security of work-from-home arrangements, with more than half expressing confidence in these efforts (figure 5). Moreover, the labor market is increasingly offering workers the option to work from home.

In addition, state CISOs are working to incorporate diversity, equity, and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. In some cases, there was incomplete awareness of the DEI practices in place (figure 6).

The long process that state CISOs must complete to hire staff at every level is giving competitors a better shot at hiring the best talent. About half of respondents say it takes three to six months to hire mid-level personnel and more than six months to hire director-level personnel (figure 7).

To close the gap, CISOs continue to rely on staff augmentation (figure 8). States are demonstrating more interest in outsourcing specific function areas and contracting with managed service providers (figure 9). For example, more than half of respondents report outsourcing security operations center functions, which require 24x7 monitoring (figure 10).

Call to action

As they continue to compete with the private sector and federal government for talent, CISOs have an opportunity to reboot efforts to attract and retain up-and-coming cyber professionals by providing more of the workplace attributes they seek and to develop a more effective pipeline for fresh talent.

• Transform state employment practices to attract next-generation workers. The technology talent shortfall has reached a critical juncture. Although CISOs do not control state hiring practices, they need to make a case for a transformation of public talent management or face increasingly untenable talent shortages. To attract the best talent, states can take steps such as offering remote-work options, providing an opportunity to work with up-to-date tech tools, shortening the hiring cycle, modernizing job titles and classifications using the National Initiative for Cybersecurity Education (NICE) framework, and other measures. 
• Turn to external resources to fill the gap. As CISOs continue to build a robust in-house staff, they can turn to private-public partnerships to close the gap. Management of third-party vendors is maturing, as CISOs rely on them more to provide not only securities operations center functions, but also forensic and legal support and cyberthreat risk assessments (figure 10). CISOs have more confidence in the cybersecurity practices of contractors than other third parties such as local governments and higher education (figure 11).

Key takeaway 2: Embracing the entire state

Tighter collaboration with local governments and state higher education institutions provides greater security across the state

CISOs have made significant progress not only within the executive branch but also with state legislatures, and they are beginning to get the institutional support they need. Notably, state legislators are codifying into law various roles of the CISO and providing funding for initiatives such as enterprise risk management frameworks, cybersecurity legislative councils, and cybersecurity training (figure 12). Many states now also require CISOs to provide periodic reports to senior state levels, such as the governor, legislature, and secretaries of state (figure 13).

Yet, CISOs’ relationships with other important entities—such as local, city, and county governments; public higher education institutions; health care systems; and the private sector—are lagging. To build more resilient cyber safeguards, CISOs need to collaborate and share information on cyberthreats with all levels and branches of government and the private sector within state borders. A whole-of-state approach—encompassing this full array of stakeholders—is key to fortifying protections wherever vulnerabilities may occur.

A centralized model of state cybersecurity governance, where the CISO’s office leads the cybersecurity efforts of state agencies and collaborates with local governments and public higher education, helps strengthen state cybersecurity overall. A more centralized state budgeting process also enables CISOs to know where and how funds are allocated and helps reduce duplicative expenditures. Even at the state level, however, it is interesting to note that nearly one-third (29%) of respondents leave cyber incidents to agencies themselves to manage, rather than to a central IT security group.

Overall, CISOs’ relationships with local governments and public higher education institutions trails that with state-level agencies. Currently, most CISOs actively engage with technology decision-makers and state business decision-makers in formulating state cybersecurity strategies, but few engage local governments and state public education institutions (figure 14). Few local government and public higher education institutions have adopted core CISO enterprise cybersecurity services, including security awareness, incident response, risk and vulnerability assessments, threat monitoring and security operations centers, and identity and access management to the same extent as state agencies (figure 15). While the level of adoption by local governments and public higher education may also depend on the availability of services offered by the state to them, the contrast in the level adoption indicates the need for attention. As an example, less than half of CISOs provide cybersecurity training to local government and public higher education staff, while the extent of adoption of such training to state agencies and contractors is more mature (figure 16).

CISOs report having more confidence in the cybersecurity practices of third-party vendors than those of local government and public higher education (figure 11). Indeed, CISOs often have little visibility into these entities. Many report that they don’t know how local governments and public higher education institutions are managing their third-party contractors, for instance.

As new federal grants for cybersecurity become available, CISOs have an opportunity to build closer collaboration with local government entities. The Infrastructure and Investment Jobs Act (IIJA) of 2021 provides the first federal grant program earmarked specifically for cybersecurity. The IIJA’s State & Local Cybersecurity Grant Program, administered by the Department of Homeland Security, provides federal funds to strengthen the cyber resilience of state and local grant recipients. State & Local Cybersecurity Grant requires that state recipients allocate 80 percent of grant funds to local government entities.  

Our survey shows that 46 states and territories plan to apply for grants from this program. The grants can enable the delivery of shared services to local governments. With the funds, states anticipate requiring local governments to implement measures including cybersecurity training, risk assessments, security monitoring, incident response, endpoint detection, and vulnerability management (figure 17). In addition, the American Rescue Plan Act of 2021 provides stimulus funding for a variety of activities including cybersecurity. Respondents indicated they had leveraged ARPA for a variety of cybersecurity needs, the most common being defense technology including endpoint protection, identity and access management, and a security operations center (figure 18). 

The availability of these funds is not enough to guarantee progress at the local government level, however. Indeed, CISOs see challenges ahead in implementing these federal grant programs. More than 60% of respondents report that the biggest barrier to successfully meeting the requirements of federal grant programs is resistance by local government to state oversight (figure 19). States should consider using local institutions of higher education to serve as regional hubs that connect local governments to the whole-of-state approach to cybersecurity, perhaps through a shared SOC model. 

Call to action

Closer working relationships between state CISOs and local governments and public education entities could go a long way in reducing the state’s cyber risk exposure. CISOs have an opportunity to improve state cybersecurity with these measures.

• Advocate for a whole-of-state approach. For CISOs to be more effective in taking a whole-of-state approach, they first need mechanisms to promote collaboration within the executive branch. They should explore executive or legislative establishment of appropriate tools to foster whole-of-state coordination authority. States also have an opportunity to bolster their security by ensuring that state laws recognize and fund cybersecurity for local, city, and county governments and higher education institutions. State CISOs can highlight the importance of such legislation before state legislators. Only 10% of respondents report having such legislation, and more than half report no such legislation. In addition, many states are exploring creative governance by establishing a joint cyber task force or shared services initiatives to establish a whole-of-state approach. CISOs can use these councils and task forces to build closer collaboration with local governments and public higher education entities (figure 20).
• Use federal grants to promote collaboration with local governments. CISOs can use the opportunity provided by the State & Local Cybersecurity Grant Program to build closer collaboration with local governments on cyber protections, including cybersecurity training at local government levels. The experience could pave the way for future collaboration.

Key takeaway 3: Setting a new course

Emerging from the pandemic, CISOs can position themselves for the future

Nearly three years since the pandemic began, the world in which CISOs operate has changed. In the realm of technology, many applications have migrated to the cloud. And with remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate, and transact. Remote or hybrid work may become a permanent fixture, posing new management challenges. Citizens, now used to the convenience of remote access, are likely to demand more and improved digital experiences from government—for everything from renewing licenses to paying taxes to receiving state benefits—all the while expecting security and privacy safeguards of their information.

The role of the state CISO only grows in importance in this environment. Bad actors exploited the dispersed work-from-home arrangements during the pandemic, increasingly indulging in activities such as ransomware attacks and financial fraud. Geopolitical developments also added to the complications with foreign state-sponsored espionage and threats to election security. All the while, new technologies from cloud computing to artificial intelligence offer both new capabilities and vulnerabilities to consider.

To forge ahead, CISOs need to secure the basics—a sound budgetary foundation—while they consider new technological capabilities to modernize operations and constituent services. 

Firm financial footing sets a lasting foundation

For the first time since this survey began in 2010, CISOs are reporting that budgetary concerns are no longer a top barrier to cybersecurity initiatives. The lack of a sufficient cybersecurity budget didn’t even rank in the top five concerns landing behind legacy infrastructure, talent shortage, and other issues (figure 1).

Over the last year, state receipts were greater than expected due to pandemic relief funds and other factors. In fiscal year 2022, state budget spending grew at 13.6%, the highest increase in more than 40 years, and in fiscal year 2023, state budget spending is expected to grow by 4.2% over prior year levels.² Meanwhile, state and local governments are poised to receive new cybersecurity grants over the next four years under the State & Local Cybersecurity Grant Program. It is unclear how long this positive budgetary scenario will last. But at this unique moment, CISOs have a chance to make greater progress on their priorities.

To assume a leadership role appropriate to oncoming challenges in the postpandemic era, states must establish a sound financial foundation for the long run for cybersecurity. As digitization increasingly becomes widespread, state cybersecurity funding cannot be left to chance year after year. CISOs need to be able to draw upon a constant, dependable source of funding throughout different economic and political cycles. Most states do have a dedicated budget line item for cybersecurity, whether established by law, executive order, or other mechanisms (figure 21). In those states that have not, CISOs and CIOs must continue to push for it.

Establishing cybersecurity as a governmental priority with a budget line item can help state CISOs and CIOs raise funding levels before state legislature and executive branch leaders. Certainly, CISOs concur that regulations backed by a commitment for funding are more effective than those without one (figure 22).

States are beginning to make some progress on cybersecurity budgets. For the first time, a handful are allocating more than 10% of their budget to cybersecurity, in alignment with federal government levels,³ but most still allocated between 2–10% (figure 23).

CISOs need to continue to establish more secure and adequate funding, as only with such funding can they formulate longer-term strategies to incorporate pressing priorities, such as emerging technologies.

Emerging technologies present new opportunities

In the postpandemic digital landscape, CISOs have a critical role to play in actively guiding the evaluation and implementation of useful new technologies. Citizens accustomed to positive digital experiences in other realms have come to expect that from state government. Many states have taken a big step forward in this regard by providing digital identities for citizen services. Capabilities, such as cloud computing, artificial intelligence (AI), and Robotic Process Automation (RPA), allow states an opportunity to further enhance digital modernization in service of their missions and constituents.

Active participation in the state innovation agenda also provides CISOs benefits such as greater visibility with other state leaders. To serve as a partner in innovation, the key is to be a leader to advocate for and enable new technologies in a secure fashion. By establishing involvement from the onset in the evaluation of emerging technologies, CISOs can best help ensure that cybersecurity is baked into new applications before procurement and during implementation.

In the last few years, CIOs have worked with many innovations, such as RPA, chatbots, and other AI tools to streamline and improve citizens’ digital experience. Meanwhile, they have also had to contend with many issues involving legacy infrastructure, cited as first among CISOs’ top barriers (figure 1). Overall, cyber strategy ranked as the top priority for CISOs while emerging technologies such as artificial intelligence ranked low (figure 24).

Call to action

To meet the challenges of a post-pandemic world, CISOs have an opportunity to lay solid groundwork to fund states’ growing cybersecurity needs, while investing in technologies for the future.

• Lay a sound financial foundation. To ensure ongoing funding support through various economic and political cycles, CISOs and CIOs should continue to push for cybersecurity as a distinct line budget item in states where this has not occurred. In their regular reports to state leadership, they should continue to underscore the importance of cybersecurity as a priority and the need for consistent and adequate funding. State CISOs with a multiyear strategic plan secure funds more successfully than those that don’t. Annual updates on progress over the last year and overviews of plans for the next year make a big difference in positioning cybersecurity as a business enabler.
• Build the cornerstones of the future—cloud and emerging technology. With solid funding, CISOs can embrace underpinnings of the future, including the continued adoption of cloud and other new technologies to enable the smarter government services. A key challenge is to maintain the security of existing capabilities even as more functions migrate to the cloud. In one example, many states have made good progress providing strong authentication while eliminating passwords, boosting both security and convenience.

Survey analysis deep dives

Strategy and governance

Budget

Cyber workforce

Identity and access management

Cyber operations

Cyberthreats

Appendix: Survey methodology

The 2022 Deloitte–NASCIO Cybersecurity Study uses survey responses from:

• US state enterprise-level CISOs answered 66 questions designed to characterize the enterprise-level strategy, governance, and operation of security programs. Participation was high: 53 states and territories responded. Figures 39 illustrates the CISO participants’ demographic profile and that of their states.

For better readability, we have included relevant and select responses in the charts. Hence, the percentage totals may not equal to 100%.

• The survey gave respondents the opportunity to add additional comments when they wanted to further explain an “N/A” or “Other” response. A number of participants provided such comments, offering further insight into the analysis. 

Cyber Risk Services

Deloitte Cyber helps organizations manage cyber risk and create value through enhanced security, visibility, and privacy. Our program design, implementation, operation, and response services, coupled with our deep industry and mission knowledge, help our clients protect and defend their most valuable assets, facilitate secure digital transformation efforts, and adapt rapidly to emerging threats.