2026 NASCIO-Deloitte Cybersecurity Study

Key takeaways

• As threats become more sophisticated, far fewer CISOs expressed confidence in their ability to secure public data. The percentage of CISOs who characterized themselves as “extremely” or “very confident” has dropped dramatically, from 48% in 2022 to 22% in 2026 (figure 1).
• CISOs are significantly less confident in the ability of local government and public higher education to secure public data. The percentage of CISOs who described themselves as “not very confident” in these entities rose significantly, from 35% in 2022 to 63% in 2026 (figure 2). This lack of confidence may explain why roughly one-fifth of CISOs indicated that their states were moving forward with a whole-of-state approach to cybersecurity.
• Generative AI also represents an area of increased responsibility, with 94% of CISOs indicating that they are actively involved with the development of GenAI security policies (figure 8).
• CISOs overall reported a rapidly deteriorating budget picture. In the 2026 survey, only 22% of CISOs reported a budget increase of 6% or more, down from 40% in 2024. Perhaps more concerning, 16% of CISOs reported reductions to their budgets in this survey, compared with none in 2024 (figure 21).
• Looking into the future, CISOs indicated their top three barriers to meeting cybersecurity challenges were: legacy infrastructure, increasing sophistication of threats and insufficient funding for cybersecurity (figure 7).

The threat landscape: Rapid gains in attack sophistication shake state CISOs’ confidence

State CISOs reported that cyber threats are more numerous, more varied and more sophisticated than ever before. As one CISO notes, “With the rising adoption of AI and agentic AI, the speed at which attacks are occurring is accelerating at a blistering pace.” As a result, state CISOs are less confident about their ability to safeguard data assets. Many expressed concerns about the preparedness of local governments and educational institutions, as well as others who interact with state systems and data.

CISOs are far less confident they can protect state and local systems

Perhaps the most notable finding of this year’s survey: the significant drop in state CISOs’ perceived security of their state’s information assets (figure 1). 

The growing threat of AI-based technologies is accelerating both the scale and speed of cyber threats

AI-based attacks are becoming more sophisticated, stretching state resources. These technologies have the capability to generate vast numbers of attacks at minimal cost, and a single successful breach can have significant operational and reputational consequences.

The AI threat isn’t limited to automated system attacks. Some newer, widely available AI tools can generate sophisticated deepfakes that can fool humans and evade detection systems. In addition, AI ransomware-as-a-service marketplaces run on cryptocurrency, and AI agents can probe systems for weaknesses and launch adaptive attacks. In short, AI is expanding the capabilities of malicious actors.⁷

There is another AI vulnerability—the use of AI by state employees and the tools they use. Multiple CISOs told us about the hazards of a practice that many software users have noticed: product vendors incorporating GenAI features into existing programs and platforms. While these smart technologies often improve functionality, they can also create new attack surfaces as features may lead to employees entering personally identifiable information or other sensitive data. “The state has published a statewide acceptable use policy to help steer our customer agencies in AI usage,” one CISO remarks, “but vendors auto-enabling AI features in products already leveraged by our customers causes major concern for data protection, privacy and risk.”

Another CISO tells us: “GenAI is advancing faster than existing governance structures can adapt, creating growing uncertainty around security, privacy and ethical use. Vendors are increasingly embedding AI capabilities into products and services without sufficient transparency or state-level control, effectively inflicting AI on operational environments before comprehensive risk assessments or policy frameworks can be applied. This uncoordinated adoption has outpaced the development of formal security guidelines, governance models and ethical standards, leaving the state in a reactive position.”

Indeed, one of the biggest developments for state CISOs is GenAI’s ubiquity and rapidly growing capabilities, presenting both new threats and new ways of countering those threats.⁸ The challenge can feel overwhelming, especially for under-resourced IT teams. One CISO sums up the pros and cons: “GenAI is accelerating both the sophistication and volume of cyber threats, enabling adversaries to craft highly-targeted phishing, automate exploitation and rapidly detect and exploit known vulnerabilities. At the same time, it offers state IT security teams powerful capabilities for real-time threat analysis, automation of routine tasks and faster incident response—provided it’s implemented with strong governance and risk controls.”

Asked to describe GenAI’s impact on security in their states—including implications for security guidelines, governance and the ethical use of AI—CISOs voiced both concern and optimism. “The push to implement GenAI has highlighted the lack of maturity in some of our agencies around data classification and unintended access/sharing,” one CISO tells us. “Many are unprepared for the challenges GenAI will present.” Others saw it as a useful tool. “We are leveraging GenAI to accelerate the development of our core cybersecurity documentation, including AI policies, incident response run-books, risk assessments and plans of action and milestones for mitigation,” another state CISO says.

Data privacy and protection is a rising concern, with GenAI using and repurposing data in ways not always fully understood. But some information security offices are using the technology to rethink and codify state AI policy. We heard from CISOs regarding the need for better data classification and data loss prevention strategies, as well as greater focus on promoting cybersecurity education on data privacy and ethics.

The survey revealed that states are at various stages of establishing structures to ensure safe use of AI and GenAI. As one CISO notes: “We have published artificial intelligence guidelines that emphasize secure and ethical use of AI, warn of privacy and data exposure risks when using AI/machine learning systems, and encourage agencies to prevent misuse and minimize risk when handling sensitive or regulated data.” Publishing guidelines is only part of the journey, however. Some states are looking at mechanisms to limit risk, including blocking some high-risk GenAI tools and leveraging existing risk management services to ensure that AI and GenAI guidelines are being followed. Other steps may include performing risk assessments.

Other CISOs noted additional concerns:

• “We are mainly concerned about overexposure of data and lack of transparency on how AI could be used to make decisions.”
• “Strong guardrails ensure GenAI systems do not inadvertently disadvantage vulnerable groups—especially our large elderly population, who face heightened risks of exploitation and digital fraud. Above all, all states should prioritize robust data-protection policies that safeguard personal information and reinforce public trust as AI capabilities continue to evolve.”

Future ready: How CISO priorities are shifting in the AI age

In their survey responses, CISOs shared how they are preparing for a rapidly changing future of intense threats, constrained resources and unforeseeable AI impacts.

Where CISOs are focusing their efforts now

Top priorities for CISOs have shifted markedly since the 2024 survey. When asked to identify their states’ top cybersecurity initiatives for 2025 and 2026, half of CISOs named implementing effectiveness metrics. Capturing the effectiveness of spending on cyber can be difficult, but without metrics it is hard to show the benefits from investments. Tracking operational, compliance and risk-based key performance indicators—for example, incident response time and phishing click rate—can help show the return on cyber investment.⁹

Other top planned initiatives, such as enterprise identity and access management (IAM) and implementing a Zero Trust framework, are also significantly more prominent than in past years (figure 6).

AI: An accelerant for both attack and defense

For CISOs, being ready for the future means being ready for AI, GenAI and whatever else comes next. This means defending against AI-based attacks, as well as using AI effectively within state government. Thoughtful use of AI may entail employing it to defend against cyberattacks, automate monitoring of threats and augment the capabilities of the cybersecurity workforce.¹⁰

When state agencies introduce new AI-based tools to workers, whether for cyber defense or for other purposes, CISOs need to ensure that they don’t inadvertently introduce additional vulnerabilities.

The good news is that many states are putting CISOs at the center of their overall GenAI planning: developing strategy and security policy as well as reviewing cases (figure 8). As one respondent puts it: “[The] CISO is fully involved in the development and review process of new AI use cases and is part of the development of policy.”

Threat response and frameworks

Structurally, states respond to cyber incidents in a variety of ways. Much of this response has remained stable—about the same number of states look to dedicated response teams, central IT security groups and individual agencies—but after funding and staffing reductions at the federal level,¹¹ fewer states are responding to incidents with outreach to federal support organizations and agencies (figure 10). The Multi-State Information Sharing and Analysis Center, for example, shifted to a fee-based membership system after the cessation of federal funding, which may have contributed to the observed decline.¹²

Whole-of-state cybersecurity gains interest, but adoption remains uneven

This year’s survey provided a strong signal that while far from universal, a significant number of states and state CISOs are moving toward taking a whole-of-state approach to cybersecurity.

Whole-of-state cybersecurity, at its core, involves state governments and state CISOs providing support to entities outside of state government itself.¹⁶ These entities might include local governments; various types of critical infrastructure; educational entities (K-12 as well as public higher education); and private entities that are critical to public health and safety, such as hospitals.

The survey findings indicate that states are in different places on this issue: Some are moving aggressively toward greater state support, while others are still focusing on state information assets and exploring possibilities. As one CISO says, “This is a public policy discussion which we are preparing for, meaning what position will the state take long-term in supporting local units of government with cybersecurity services.”

Asked whether their states are considering options for whole-of-state coverage, CISOs offered a wide variance of responses, with roughly one-fifth indicating that they were fully or partially moving forward with a whole-of-state approach. One CISO reported that “We already operate a whole-of-state model by providing no-cost cybersecurity shared services” to certain municipalities and county governments—while other CISOs indicated initial steps or plans to do so. Yet others indicated they had no plans to adopt such an approach.

A number of states pointed to the federal State and Local Cybersecurity Grant Program (SLCGP) as a primary driver of their whole-of-state program. One CISO says that the program “helped drive collaboration and buy-in from the local government entities,” while another tells us, “SLCGP funds have laid the groundwork for baseline cyber capabilities in local governments.” The uncertainty regarding the program’s renewal at the time the survey was conducted may have contributed to some states’ hesitancy to move forward with whole-of-state expansion.¹⁷

Among those respondents most positive about the whole-of-state approach, we heard the following:

• “We currently have adopted a whole-of-state cybersecurity program. We have an enterprise SOC that provides cybersecurity operations support to all executive branch, higher education, cities, counties and school districts.”
• “We do today and will be growing field and regional support going forward.”
• “This is being implemented as an opt-in approach.”
• “We provide a centralized cybersecurity operations center for some local governments and K-12. Given necessary resources, we hope to expand on that.”

The respondents considering a whole-of-state program “in the next few years” are taking different routes. One tells us that they “would like to” implement whole-of-state planning, “as this is the most beneficial model.” Another suggests, “Thinking about it but still need to work out approach and funding model.” Another CISO notes, “We are exploring ideas based on other states’ models.”

Several respondents mentioned collaborations with various vendors and service providers as well as with public higher education. One notes: “We have a partnership with higher ed to deliver cybersecurity assessments for local governments and schools using student resources.” Another explains, “A task force of multiple state agencies has been established to review opportunities on how the state can assist local governments and K-12 schools with cybersecurity efforts.”

Whole-of-state planning and activity is directly linked to how states structure their cybersecurity strategy: either centralized, with the CISO’s office responsible for the enterprise policy and services; or federated, with the CISO responsible for enterprise policy with a mix of centralized shared services and agency-led services specific to each. Our survey results suggest that CISOs are increasingly favoring a centralized model (figure 12).

The CISO role expands beyond security into strategy and governance

It wasn’t always a given that the CISO would be central to a state’s information technology organizations. In 2010, when Deloitte and NASCIO began this biennial survey, states handled cybersecurity in a far less systematic and robust way. Few states defined roles and responsibilities in statutes and not every state even had a top executive overseeing information security, much less someone with an official CISO title.²¹

What we’ve seen over the years is a steady expansion of state CISOs’ portfolio of responsibilities. For example, between the 2022 survey and this year’s survey, the fraction of state CISOs offering strategy, governance and risk management services to state agencies rose from 81% to 100% (figure 17). CISOs have become a primary resource for cybersecurity throughout state government.

Resource crunch: Funding slows as talent demand grows

The cyber threat landscape is becoming only more treacherous, and the scope of CISOs’ responsibilities continues to grow—yet resources aren’t keeping up with the demand. Unlike most IT projects, cybersecurity is never finished. Cybersecurity is an ongoing struggle against increasingly sophisticated adversaries.

This year’s survey revealed that after several years of relatively strong budget support, there has been a serious turning of the tide: The budget picture in many states is bleak. At the same time, CISOs continue to struggle in the area of talent, reporting a serious gap between the capabilities of their staff and the demands they are facing.

Funding is falling short

Eight states reported year-over-year cybersecurity budget reductions, with three noting annual reductions of more than 5%. More than half saw either a modest increase or a flat budget (figure 21).

The role of SLCGP funding helps—but uncertainty limits adoption

Many states have relied on the federal SLCGP to bolster operational funding as well as for additional programs targeted to help local government.

Several CISOs told us how they were using SLCGP funding to extend cyber protection:

• “We are utilizing funds to deploy multi-factor authentication (MFA) hardware tokens to state accounts and providing MFA tokens to local governments.”
• “We have extended services (endpoint protection and response, security awareness training and vulnerability management) to 85% of local government, with a goal of reaching 100% by next year.”
• “We have awarded critical service improvement projects to many local government agencies. Cyber assessments are also being done through the SLCGP funding for small local government entities, helping to inform other cybersecurity projects to be collectively funded.”
• “We have seen an increase in adoption of foundational controls like the use of .gov, MFA and cyber training with some submissions to replace end-of-life and end-of-support hardware or software.”

But CISOs also told us that more funding would be helpful. Nearly 40% of CISOs stated that SLCGP grants were inadequate, with another 37% saying that an increased amount would be beneficial (figure 23). 

Appendix 2: Additional survey analysis deep dives