The seventh biennial Deloitte-NASCIO Cybersecurity Study arrives at a unique juncture for state chief information security officers (CISOs) and chief information officers (CIOs). Emerging from nearly three years of the COVID-19 pandemic, the landscape in which state CISOs operate has changed. While it may take years to know which transformations wrought by the pandemic will endure, we know that digitization has accelerated. The social distancing required by the health crisis made digital and mobile platforms the crux of work and daily life. This means that the future role of the state CISO is more important than ever, as new vulnerabilities and opportunities arise from greater use of these networks.
The 2022 survey was the result of robust participation by 50 states and three territories. At this pivotal moment, we find that the state CISO position has continued to gain strength and authority. As noted in the last biennial study, during the early days of the pandemic, CISOs performed the herculean task of migrating state government operations, services, and employees to a virtual environment nearly overnight. They enhanced safeguards such as multifactor identification, risk monitoring, and incident readiness to secure a remote workforce. As a result of these measures and the dedication of state employees, state agencies continued operating and providing services in the face of immense challenges.
Now, CISOs have a chance to build on that momentum to chart strategies for the postpandemic era. To meet the needs of an even more hyperconnected age, they must tackle some longstanding challenges, while laying the groundwork for the adoption of newer technologies on the horizon. From this year’s survey results, we identified three key takeaways critical to enhancing the CISO’s role in the future.
Dealing with the talent gap. Attracting, retaining, and continually training a cybersecurity workforce primed for the future has become more difficult. It is encouraging to see an increasing trend to effectively embrace the delivery of cyber services, but states must reposition state employment to compete effectively with private sector and federal employers for millennial and Generation Z workers whose workplace ideals differ from those of previous generations. For example, the ability to work remotely, in part or in full, is now a basic expectation.
Embracing the entire state. In the ongoing effort to fortify resilience across their states, CISOs must extend their leadership to all levels of government, including the local level. Due to the many interactions that take place between local and state agencies, local government presents a threat vector. CISOs should increase their cooperation with higher education institutions to act as a bridge between state and local government and to also create a pipeline of cybersecurity professionals to address the talent gap.
Setting a new course. The postpandemic world brings new challenges and opportunities. CISOs need to have the foresight both in terms of budgets and new technologies to keep pace with the expectations of the increasingly digitized environment.
We thank the 53 states and territories that participated in our detailed survey. We salute your dedication to safeguarding citizen data and to securing the business of your state.
Meredith Ward
Director of Policy and Research
NASCIO
Srini Subramanian
Principal
Deloitte & Touche LLP
In 2022, the demand for high-skilled workers has grown even more acute for both public and private sector employers. Reassessing their life choices during the COVID-19 pandemic, many employees joined the Great Resignation, and millennial and Gen Z workers are more carefully choosing workplaces that reflect their preferences. In this environment, the lack of cybersecurity professionals and staff remains among the top five barriers that CISOs cite (figure 1). Despite CISOs’ growing responsibilities and the increasing sophistication of technology and threats, head counts for state cybersecurity professionals remain about the same as in 2020 (figure 2). In addition, over 60% of CISOs report gaps in competencies among their staff (figure 31).
States face heavy competition in hiring from the private sector and federal government. The private sector is combating the talent shortage by increasing pay, flexibility, and rapid career advancement to appeal to younger workers. Having lived through the experience of the pandemic, many no longer put work at the center of their lives. Though younger workers value the sense of purpose that government jobs offer, they are also demanding greater work/life balance, remote work and flexibility, and opportunities to maintain wellness.1
Many millennial and Gen Z workers are also looking to be part of a diverse workforce with an inclusive culture. Indeed, research shows that diverse teams, with their varying perspectives, are more effective and productive.
States are not meeting many of the demands of this new generation of tech workers. The top factors with which CISOs attract and retain talent remain largely the same as in years past. They include the opportunity to serve the public, job stability, and a retirement plan (figure 3).
Only 25% of states reported using remote work as a talent-attraction tool (figure 4). This is somewhat surprisingly low, as CISOs have worked hard to ensure the security of work-from-home arrangements, with more than half expressing confidence in these efforts (figure 5). Moreover, the labor market is increasingly offering workers the option to work from home.
In addition, state CISOs are working to incorporate diversity, equity, and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. In some cases, there was incomplete awareness of the DEI practices in place (figure 6).
The long process that state CISOs must complete to hire staff at every level is giving competitors a better shot at hiring the best talent. About half of respondents say it takes three to six months to hire mid-level personnel and more than six months to hire director-level personnel (figure 7).
To close the gap, CISOs continue to rely on staff augmentation (figure 8). States are demonstrating more interest in outsourcing specific function areas and contracting with managed service providers (figure 9). For example, more than half of respondents report outsourcing security operations center functions, which require 24x7 monitoring (figure 10).
As they continue to compete with the private sector and federal government for talent, CISOs have an opportunity to reboot efforts to attract and retain up-and-coming cyber professionals by providing more of the workplace attributes they seek and to develop a more effective pipeline for fresh talent.
CISOs have made significant progress not only within the executive branch but also with state legislatures, and they are beginning to get the institutional support they need. Notably, state legislators are codifying into law various roles of the CISO and providing funding for initiatives such as enterprise risk management frameworks, cybersecurity legislative councils, and cybersecurity training (figure 12). Many states now also require CISOs to provide periodic reports to senior state levels, such as the governor, legislature, and secretaries of state (figure 13).
Yet, CISOs’ relationships with other important entities—such as local, city, and county governments; public higher education institutions; health care systems; and the private sector—are lagging. To build more resilient cyber safeguards, CISOs need to collaborate and share information on cyberthreats with all levels and branches of government and the private sector within state borders. A whole-of-state approach—encompassing this full array of stakeholders—is key to fortifying protections wherever vulnerabilities may occur.
A centralized model of state cybersecurity governance, where the CISO’s office leads the cybersecurity efforts of state agencies and collaborates with local governments and public higher education, helps strengthen state cybersecurity overall. A more centralized state budgeting process also enables CISOs to know where and how funds are allocated and helps reduce duplicative expenditures. Even at the state level, however, it is interesting to note that nearly one-third (29%) of respondents leave cyber incidents to agencies themselves to manage, rather than to a central IT security group.
Overall, CISOs’ relationships with local governments and public higher education institutions trails that with state-level agencies. Currently, most CISOs actively engage with technology decision-makers and state business decision-makers in formulating state cybersecurity strategies, but few engage local governments and state public education institutions (figure 14). Few local government and public higher education institutions have adopted core CISO enterprise cybersecurity services, including security awareness, incident response, risk and vulnerability assessments, threat monitoring and security operations centers, and identity and access management to the same extent as state agencies (figure 15). While the level of adoption by local governments and public higher education may also depend on the availability of services offered by the state to them, the contrast in the level adoption indicates the need for attention. As an example, less than half of CISOs provide cybersecurity training to local government and public higher education staff, while the extent of adoption of such training to state agencies and contractors is more mature (figure 16).
CISOs report having more confidence in the cybersecurity practices of third-party vendors than those of local government and public higher education (figure 11). Indeed, CISOs often have little visibility into these entities. Many report that they don’t know how local governments and public higher education institutions are managing their third-party contractors, for instance.
As new federal grants for cybersecurity become available, CISOs have an opportunity to build closer collaboration with local government entities. The Infrastructure and Investment Jobs Act (IIJA) of 2021 provides the first federal grant program earmarked specifically for cybersecurity. The IIJA’s State & Local Cybersecurity Grant Program, administered by the Department of Homeland Security, provides federal funds to strengthen the cyber resilience of state and local grant recipients. State & Local Cybersecurity Grant requires that state recipients allocate 80 percent of grant funds to local government entities.
Our survey shows that 46 states and territories plan to apply for grants from this program. The grants can enable the delivery of shared services to local governments. With the funds, states anticipate requiring local governments to implement measures including cybersecurity training, risk assessments, security monitoring, incident response, endpoint detection, and vulnerability management (figure 17). In addition, the American Rescue Plan Act of 2021 provides stimulus funding for a variety of activities including cybersecurity. Respondents indicated they had leveraged ARPA for a variety of cybersecurity needs, the most common being defense technology including endpoint protection, identity and access management, and a security operations center (figure 18).
The availability of these funds is not enough to guarantee progress at the local government level, however. Indeed, CISOs see challenges ahead in implementing these federal grant programs. More than 60% of respondents report that the biggest barrier to successfully meeting the requirements of federal grant programs is resistance by local government to state oversight (figure 19). States should consider using local institutions of higher education to serve as regional hubs that connect local governments to the whole-of-state approach to cybersecurity, perhaps through a shared SOC model.
Closer working relationships between state CISOs and local governments and public education entities could go a long way in reducing the state’s cyber risk exposure. CISOs have an opportunity to improve state cybersecurity with these measures.
Nearly three years since the pandemic began, the world in which CISOs operate has changed. In the realm of technology, many applications have migrated to the cloud. And with remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate, and transact. Remote or hybrid work may become a permanent fixture, posing new management challenges. Citizens, now used to the convenience of remote access, are likely to demand more and improved digital experiences from government—for everything from renewing licenses to paying taxes to receiving state benefits—all the while expecting security and privacy safeguards of their information.
The role of the state CISO only grows in importance in this environment. Bad actors exploited the dispersed work-from-home arrangements during the pandemic, increasingly indulging in activities such as ransomware attacks and financial fraud. Geopolitical developments also added to the complications with foreign state-sponsored espionage and threats to election security. All the while, new technologies from cloud computing to artificial intelligence offer both new capabilities and vulnerabilities to consider.
To forge ahead, CISOs need to secure the basics—a sound budgetary foundation—while they consider new technological capabilities to modernize operations and constituent services.
For the first time since this survey began in 2010, CISOs are reporting that budgetary concerns are no longer a top barrier to cybersecurity initiatives. The lack of a sufficient cybersecurity budget didn’t even rank in the top five concerns landing behind legacy infrastructure, talent shortage, and other issues (figure 1).
Over the last year, state receipts were greater than expected due to pandemic relief funds and other factors. In fiscal year 2022, state budget spending grew at 13.6%, the highest increase in more than 40 years, and in fiscal year 2023, state budget spending is expected to grow by 4.2% over prior year levels.2 Meanwhile, state and local governments are poised to receive new cybersecurity grants over the next four years under the State & Local Cybersecurity Grant Program. It is unclear how long this positive budgetary scenario will last. But at this unique moment, CISOs have a chance to make greater progress on their priorities.
To assume a leadership role appropriate to oncoming challenges in the postpandemic era, states must establish a sound financial foundation for the long run for cybersecurity. As digitization increasingly becomes widespread, state cybersecurity funding cannot be left to chance year after year. CISOs need to be able to draw upon a constant, dependable source of funding throughout different economic and political cycles. Most states do have a dedicated budget line item for cybersecurity, whether established by law, executive order, or other mechanisms (figure 21). In those states that have not, CISOs and CIOs must continue to push for it.
Establishing cybersecurity as a governmental priority with a budget line item can help state CISOs and CIOs raise funding levels before state legislature and executive branch leaders. Certainly, CISOs concur that regulations backed by a commitment for funding are more effective than those without one (figure 22).
States are beginning to make some progress on cybersecurity budgets. For the first time, a handful are allocating more than 10% of their budget to cybersecurity, in alignment with federal government levels,3 but most still allocated between 2–10% (figure 23).
CISOs need to continue to establish more secure and adequate funding, as only with such funding can they formulate longer-term strategies to incorporate pressing priorities, such as emerging technologies.
In the postpandemic digital landscape, CISOs have a critical role to play in actively guiding the evaluation and implementation of useful new technologies. Citizens accustomed to positive digital experiences in other realms have come to expect that from state government. Many states have taken a big step forward in this regard by providing digital identities for citizen services. Capabilities, such as cloud computing, artificial intelligence (AI), and Robotic Process Automation (RPA), allow states an opportunity to further enhance digital modernization in service of their missions and constituents.
Active participation in the state innovation agenda also provides CISOs benefits such as greater visibility with other state leaders. To serve as a partner in innovation, the key is to be a leader to advocate for and enable new technologies in a secure fashion. By establishing involvement from the onset in the evaluation of emerging technologies, CISOs can best help ensure that cybersecurity is baked into new applications before procurement and during implementation.
In the last few years, CIOs have worked with many innovations, such as RPA, chatbots, and other AI tools to streamline and improve citizens’ digital experience. Meanwhile, they have also had to contend with many issues involving legacy infrastructure, cited as first among CISOs’ top barriers (figure 1). Overall, cyber strategy ranked as the top priority for CISOs while emerging technologies such as artificial intelligence ranked low (figure 24).
To meet the challenges of a post-pandemic world, CISOs have an opportunity to lay solid groundwork to fund states’ growing cybersecurity needs, while investing in technologies for the future.
Budget
Cyber workforce
Identity and access management
Cyber operations
Cyberthreats
The 2022 Deloitte–NASCIO Cybersecurity Study uses survey responses from:
For better readability, we have included relevant and select responses in the charts. Hence, the percentage totals may not equal to 100%.
Deloitte Cyber helps organizations manage cyber risk and create value through enhanced security, visibility, and privacy. Our program design, implementation, operation, and response services, coupled with our deep industry and mission knowledge, help our clients protect and defend their most valuable assets, facilitate secure digital transformation efforts, and adapt rapidly to emerging threats.