State CISOs Report Lower Confidence Across the Public Sector Cyber Ecosystem, 2026 NASCIO-Deloitte Survey Finds

NEW YORK, April 27, 2026

Key takeaways

• The survey of Chief Information Security Officers (CISOs) from all 50 states and two territories found that just 26% of state CISOs are “extremely” or “very” confident that their state’s information assets are protected from cyber threats, down from 48% in 2022.
•  Implementing effectiveness metrics is now CISOs’ top priority: 49% named it a top cybersecurity initiative in 2026, up from 15% in 2022.
• Nearly all state CISOs (94%) said they are involved in developing Generative AI security policies and 84% are involved in Generative AI strategy development.
• Budget pressure is rising with 16% of CISOs reporting their budgets have been cut, up from none in 2024.
• The percentage of CISOs who described themselves as “not very confident” in the ability of local government and public higher education to secure public data rose significantly, from 35% in 2022 to 63% in 2026.

Why this decline in confidence matters
States share data and systems with counties, cities, and public colleges and universities, so a vulnerability in one network can cascade, exposing personal information, disrupting essential services and driving costly incident response. As attackers adopt AI-enabled tactics, the urgency is growing for faster coordination, clearer policy and stronger baseline defenses across the public sector. This may explain why roughly one-fifth of CISOs indicated that their states were moving toward a “whole-of-state” approach to cybersecurity.

Metrics reporting becomes CISOs’ top priority
Top priorities for CISOs have shifted since the 2024 survey. When asked to identify their states’ top cybersecurity initiatives for 2026, half of CISOs named implementing effectiveness metrics (49%, up from 25% in 2024 and 15% in 2022). Capturing the effectiveness of cyber spending can be difficult, but without metrics, it is challenging to show the benefits of investments. Tracking operational, compliance and risk-based key performance indicators, such as incident response time and phishing click rate, can help demonstrate the return on cyber investment.

AI both accelerates threats and becomes a frontline defense
AI is accelerating the scale and sophistication of attacks targeting public sector systems, making it easier and cheaper for adversaries to generate and automate cyberattacks. CISOs also point to an emerging threat toolkit, including deepfakes that can fool people and evade detection, AI agents that probe for weaknesses and adapt, and AI-driven ransomware-as-a-service operations.

At the same time, CISOs describe AI as a practical way to keep pace, using it to triage security alerts, summarize events, and explore faster report creation, threat identification and training. Several states are already utilizing Generative AI in core security operations, including security information and event management (SIEM) and security orchestration, automation and response (SOAR). The report also underscores how central CISOs have become to state AI efforts.

Key quotes
“We’re seeing more states move toward a ‘whole-of-state’ cybersecurity approach where the state helps extend protection beyond state agencies to local governments, public education and other critical entities that can become an entry point for attackers. At its core, it’s about scaling capabilities through shared services and better collaboration so a weakness in one part of the ecosystem doesn’t become a statewide incident. Many states are looking to scale capabilities through security operations centers and regional support, so counties, cities and schools can benefit from the same cyber-defense muscle as the enterprise.”
— Mike Wyatt, Stale local and higher education cyber risk leader, Deloitte

“It’s an encouraging development that state CISOs are being placed at the center of Generative AI security. They are helping shape the strategy, establishing security policies and reviewing proposed use cases. By being involved from the beginning, CISOs are helping governments move faster without sacrificing safeguards because security and governance complement each other. We’re also seeing CISOs explore practical uses of AI to strengthen day-to-day defense, while putting clearer guardrails around responsible uses.”
— Meredith Ward, deputy executive director, NASCIO

Additional data
To read the 2026 NASCIO-Deloitte report in its entirety, click here.

About NASCIO
The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. For more information about NASCIO visit www.nascio.org.