Skip to main content

States at risk: The cybersecurity imperative in uncertain times

A joint biennial report (6th edition) from Deloitte and the National Association of State Chief Information Officers (NASCIO)

Meredith Ward
Srini Subramanian

The pandemic has highlighted public-sector cyber leaders’ resilience—but has also called attention to long-standing challenges facing state IT and cybersecurity.

DURING 2020, chief information security officers (CISOs) have risen to the challenges brought on by the pandemic, working closely with state IT departments to balance cybersecurity risks and business continuity. With most employees unexpectedly working from home for an indefinite period, CISOs secured networks for remote work by enabling or expanding multifactor authentication, enhancing system monitoring to receive early detection and alerts, and reviewing readiness plans to address the possibility of unexpected cybersecurity incidents. CISOs’ actions helped most states maintain essential business functions and service to citizens, even in a time of tightly constrained cyber budgets.

This year’s study, based on responses from enterprise-level CISOs in 51 US states and territories, made clear state governments’ need for digital modernisation and the essential role of cybersecurity. Survey results suggest that the CISO position has evolved into a mature and respected role, with the pandemic further highlighting its critical nature.

And yet CISOs struggle with the challenges of securing adequate budgets and talent, as well as coordinating a consistent security implementation across agencies. Our survey identified several key takeaways critical to further enhancing the CISO's status:

COVID-19 has challenged continuity and amplified gaps

One of the most notable challenges CISOs faced during the pandemic was the abrupt shift to remote work. According to the study:

  • Before the pandemic, 52% of respondents said less than 5% of staff worked remotely.
  • During the pandemic, 35 states have had more than half of employees working remotely; nine states have had more than 90% remote workers.

“The pandemic forced state governments to act quickly, not just in terms of public health and safety but also with regard to cybersecurity,” says Srini Subramanian, Deloitte & Touche LLP's state and local government advisory leader.

Connecting the cyber dots across state, local and higher education

The pandemic has amplified state governments’ longstanding need for digital modernisation, along with the essential role that cybersecurity needs to play in the discussion. Only 28% of states reported that they had collaborated extensively with local governments as part of a security programme during the past year, with 65% reporting limited collaboration. By extending the CISO's influence through collaboration and partnerships, states can help provide cybersecurity services and guidance to often-overwhelmed local governments and public higher education entities.

Strength, consistency and enforcement in numbers

The study shows that 40% of the states continue to operate in a federated model, in which CISOs are responsible for enterprise policy with a mix of centralised shared services and agency-led services specific to each and 10% operate in a decentralised model of cyber governance in which individual state agencies are on their own for cyber services and execution with only policy guidance from the CIO. To further their progression, state CISOs should transition to a centralised form of governance for the cybersecurity function, with the enterprise CISO responsible for cybersecurity for all state agencies while maintaining proximity to business initiatives at the agency/programme level.

Progress on the 2018 Deloitte-NASCIO Cybersecurity Study bold plays

The 2020 study also reviews progress made towards the three “bold plays” identified in the 2018 Deloitte–NASCIO Cybersecurity Study1, covering funding, innovation and collaboration.


The bold plays are strategic shifts that may take years for results to be visible and our 2020 survey results show that while progress is being made, now is not a time to declare victory. In fact, it is critical to continue pressing forward on these bold plays.

Cyber Risk Services

Deloitte Cyber helps organisations manage cyber risk and create value through enhanced security, visibility and privacy. Our programme design, implementation, operation and response services, coupled with our deep industry and mission knowledge, help our clients protect and defend their most valuable assets, facilitate secure digital transformation efforts and adapt rapidly to emerging threats.

Learn more

We thank the NASCIO and Deloitte professionals who helped to develop the survey and execute, analyse, and create the report.

At NASCIO, we thank executive director Doug Robinson and the state CISO survey review team: Adam Ford, Illinois; Bill Nash, Wisconsin; Nancy Rainosek, Texas; Tim Roemer, Arizona; and Maria Thompson, North Carolina.

At Deloitte, we thank subject-matter specialists Bharane Balasubramanian, Mike Wyatt, Timothy Li, Clayton Frick, and Jesse Goldhammer of Deloitte & Touche LLP; John O’Leary of Deloitte Services LP; and Ron Baldwin and Art Stephens of Deloitte Consulting LLP.

Thank you to the Deloitte survey team, data analysis, and benchmarks: Bharath Chari, Deloitte & Touche LLP; Sushumna Agarwal, Deloitte Services LP; Glynis Rodrigues, Deloitte Services LP; Thirumalai Kannan, Deloitte Services LP.

Thanks also to the marketing and writing team, including Annette Evans, Deloitte Services LP; Anudeep Gurram, Deloitte Services LP; and Marie Willsey, writer.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey