State cyber officials’ confidence is down, survey finds
PixeloneStocker via Getty Images
By
Chris Teale
The study by NASCIO and Deloitte found that just 26% of respondents are extremely or very confident they can protect themselves from cyber threats, down from 48% in 2022.
PHILADELPHIA — State cybersecurity officials appear less confident they can protect themselves against threats to their systems and assets, according to a survey released last week.
The survey by the National Association of State Chief Information Officers and Deloitte found that just 26% of state chief information security officers say they are “extremely” or “very” confident that they can protect themselves from cyber threats. That’s a reduction from the 2022 edition of this survey, when 48% said they were confident of protecting themselves.
Experts put that dramatic drop in confidence down to the continued growth of artificial intelligence, which is already being exploited by bad actors and hackers connected to nation-states. And while AI’s defensive capabilities are already being used, keeping up with threat actors will be a constantly moving target.
“The thing with AI is that the fundamentals of cyber have not changed,” Kansas CISO John Godfrey said during a panel discussion at NASCIO’s Mid-Year Conference in Philadelphia last week. “The issue is really just about the speed by which we don't take action. Part of the challenge we have is that if we had a tech gap before, then that gap is growing even more to the extent to which we continue to face machine speed threats as humans. Part of the challenge here is how do we continue to evolve, adapt and improve our abilities to catch up with that level of velocity that we need?”
One aspect of CISOs’ work that has shifted in recent years is around metrics reporting, with 49% saying it is one of their state’s top cybersecurity priorities. That is a major jump from the 25% that said so in 2024 and 15% in 2022, and it’s a trend that NASCIO said shows that CISOs are being asked to track the effectiveness of cybersecurity spending, although that in itself is tricky. Metrics like incident response time and the click rate on a phishing email are two ways CISOs can show a return on the investment, NASCIO said.
However, the financial aspect of cybersecurity professionals’ roles appears to be weighing heavily, as 16%of CISOs reported their budget had been cut, compared to zero who reported such reductions in 2024. And while the majority said their cybersecurity budgets had either stayed stable or increased — with 10% of those surveyed reporting an increase of 10% or more — the report said the findings “paint a grim picture.”
NASCIO said the funding challenges could be blamed on several factors, including the growing pressure on states’ general funds; the expiration of one-time federal funding from COVID-19 and the years immediately following; and reduced federal support from the likes of the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center.
The group also pointed to continuing uncertainty around the future of the State and Local Cybersecurity Grant Program, which has received a reauthorization vote in the House, but is yet to receive one in the Senate and still lacks additional appropriations.
NASCIO Director of Government Affairs Alex Whitaker said during a briefing at the conference that the group has requested an appropriation of $300 million for the program in FY 2027, although he acknowledged being “reluctant” to offer a specific dollar amount for an effort that will take years and need billions of dollars.
“I also view it as a starting point,” Whitaker said. “SLCGP is not a silver bullet. It is addressing some low hanging fruit in cybersecurity, but it's something that I think that hopefully we can build on to make sure that folks in Congress understand that states need more support on this, local governments as well.”
CISOs’ jobs are likely to get more complex, too. The vast majority (94%) said they are involved in developing policies for their state’s use of generative AI, while 84% are responsible for forming strategy on the technology’s use.
Meanwhile, the growth of whole-of-state cybersecurity strategies is also presenting headaches for state CISOs. Just over 60% said they are “not very confident” in the ability of their local governments and higher education institutions to secure public data, a significant rise from 2022’s figure of 35%.
It won’t be easy, observers warned, given the budgetary concerns states face.
“This is where the resource crunch becomes most acute,” Tim Miller, global field chief technology officer and chief cybersecurity strategist at software company Dataminr, wrote in a blog post. “States are being asked to extend protection downward — to county governments, school districts, municipalities that have no dedicated security staff — with budgets that are, in many cases, flat or declining.”
With a whole-of-state strategy requiring more information sharing, a shared response to threats and better coordination, the finding suggests CISOs are concerned about the cybersecurity postures of other governmental units and keen to adopt a whole-of-state approach.
“Government and industry partnership is essential to navigating the modern, AI-enabled cyber threat landscape — as the report underscores, a whole-of-state approach becomes a force multiplier when supported by an open platform that integrates data from any source, and enables real-time threat detection, investigation and response across diverse environments,” Bobby Suber, senior manager for solutions architecture for state, local and education at tech company Elastic, said in an email.