2014 Deloitte - NASCIO cybersecurity study

Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.

Budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small – in the budgets. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs – it continues to be the top barrier for state CISOs. In addition, survey responses show that there may be additional barriers to implementing successful initiatives: namely the lack of well-thought-out and fully vetted cybersecurity strategy and priorities. 

Cyber complexity challenge: State information system has a wide range of sensitive citizen data, making them especially attractive targets for cyber-attacks. CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. They need to stay abreast of existing and developing threats to establish and maintain the security of an information environment that now increasingly extends from internal networks to the cloud and mobile devices. State officials appear more confident than CISOs in the safeguards against external cyber threats, perhaps a result of ineffective communication of risks and impacts.

Talent crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. Private sector opportunities and salaries are traditionally better than those offered by government. Not surprisingly, state CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career paths and find creative ways to build their cybersecurity teams. Furthermore, as states turn to outsourcing and specialist staff augmentation as a means to bridge their cybersecurity talent gap, it’s imperative for CISOs to manage third-party risks effectively.

Despite continuing challenges, CISOs are centralizing and standardizing security practices, launching broad-based awareness campaigns, and looking for ways to attract the right talent to join them in their fight against cybercrime and protecting states’ critical infrastructure.