The 2024 edition of the biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO) found that 86% of state chief information security officers (CISOs) say their responsibilities are growing, yet more than one-third do not have a dedicated cybersecurity budget. Alarmingly, four of the 51 state CISOs surveyed said their state IT budgets allocate less than 1% for cybersecurity.
“The ability of government to deliver on its mission depends on data – and on the security of that data,” said Srini Subramanian, principal, Deloitte & Touche LLP and Deloitte’s Global Consulting Government and Public Services leader. “The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself, and CISOs have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.”
Despite the growing importance of cybersecurity, many state CISOs noted that resources aren’t keeping pace with the growing sophistication of threats. Federal agencies generally earmark more than 10% of their IT budgets for cybersecurity, yet many states have not dedicated resources at the same pace.
The 2024 biennial Deloitte-NASCIO report surveyed state CISOs from all 50 states and the District of Columbia. The emergence of generative artificial intelligence (GenAI) – and its potential benefits and risks – was top of mind for many state technology leaders. Nearly three-quarters of respondents (71%) believe the risk of AI-enabled threats is “high.” However, 41% lack confidence in their team’s ability to handle them. Legacy systems with outdated technology, particularly in public infrastructure such as transportation, water and power, were identified as specific areas of concern.
While acknowledging the potential threat of AI, state CISOs are increasingly turning to AI and GenAI tools to shore up their cybersecurity capabilities. A total of 21 said they are already using GenAI to improve security operations, while another 22 plan to adopt GenAI within the coming 12 months.
“The good news is many state CISOs have been able to increase employee headcounts, adding specialists to their teams who are focused on cybersecurity-related issues,” said Meredith Ward, the deputy executive director at NASCIO and a co-author of the 2024 Deloitte-NASCIO report. “In 2020, 16% of CISOs had fewer than five employees dedicated to cybersecurity initiatives. Today, that percentage has dropped to just 4%. In addition to growing their teams, our research found these leaders are determined to find creative solutions to protect their organizations and the public.”
Nearly every state CISO reported they are involved with developing state strategy and security policy; only two did not.
The 2024 Deloitte-NASCIO Cybersecurity Study can be viewed in its entirety here.