Key takeaway 3: Setting a new course
Emerging from the pandemic, CISOs can position themselves for the future
Nearly three years since the pandemic began, the world in which CISOs operate has changed. In the realm of technology, many applications have migrated to the cloud. And with remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate, and transact. Remote or hybrid work may become a permanent fixture, posing new management challenges. Citizens, now used to the convenience of remote access, are likely to demand more and improved digital experiences from government—for everything from renewing licenses to paying taxes to receiving state benefits—all the while expecting security and privacy safeguards of their information.
The role of the state CISO only grows in importance in this environment. Bad actors exploited the dispersed work-from-home arrangements during the pandemic, increasingly indulging in activities such as ransomware attacks and financial fraud. Geopolitical developments also added to the complications with foreign state-sponsored espionage and threats to election security. All the while, new technologies from cloud computing to artificial intelligence offer both new capabilities and vulnerabilities to consider.
To forge ahead, CISOs need to secure the basics—a sound budgetary foundation—while they consider new technological capabilities to modernize operations and constituent services.
Firm financial footing sets a lasting foundation
For the first time since this survey began in 2010, CISOs are reporting that budgetary concerns are no longer a top barrier to cybersecurity initiatives. The lack of a sufficient cybersecurity budget didn’t even rank in the top five concerns landing behind legacy infrastructure, talent shortage, and other issues (figure 1).
Over the last year, state receipts were greater than expected due to pandemic relief funds and other factors. In fiscal year 2022, state budget spending grew at 13.6%, the highest increase in more than 40 years, and in fiscal year 2023, state budget spending is expected to grow by 4.2% over prior year levels.2 Meanwhile, state and local governments are poised to receive new cybersecurity grants over the next four years under the State & Local Cybersecurity Grant Program. It is unclear how long this positive budgetary scenario will last. But at this unique moment, CISOs have a chance to make greater progress on their priorities.
To assume a leadership role appropriate to oncoming challenges in the postpandemic era, states must establish a sound financial foundation for the long run for cybersecurity. As digitization increasingly becomes widespread, state cybersecurity funding cannot be left to chance year after year. CISOs need to be able to draw upon a constant, dependable source of funding throughout different economic and political cycles. Most states do have a dedicated budget line item for cybersecurity, whether established by law, executive order, or other mechanisms (figure 21). In those states that have not, CISOs and CIOs must continue to push for it.