The 2018 Deloitte-NASCIO Cybersecurity Study States at risk: Bold plays for change
23 October 2018
State CISOs have gained considerable influence since the role first appeared—but crucial funding and talent challenges remain. Three bold actions can help today’s state CISOs find the resources to safeguard their state’s IT infrastructures.
US state chief information security officers (CISOs) have an opportunity to pursue three “bold plays” that can help them address persistent budgetary and talent challenges to improving their state’s cybersecurity posture, according to a new survey by Deloitte & Touche LLP and the National Association of State Chief Information Officers (NASCIO).
Learn More
Create a custom PDF or download the full report
Read the 2016 survey
Explore the Government and public services collection
Subscribe to receive related content
State CISOs have increased in visibility and influence since the role first appeared almost a decade ago, says the 2018 Deloitte-NASCIO Cybersecurity Study—States at risk: Bold plays for change. Yet many still struggle to secure funding for cybersecurity initiatives and find qualified talent. To help address these challenges, state CISOs can leverage their increased visibility and influence to:
- Advocate for dedicated cyber program funding. CISOs can raise cybersecurity’s profile with the state legislature and executive branch by making it a line item in the IT budget. They can also seek funding from large federal agencies to implement their security requirements and controls.
- Be an enabler of innovation, not a barrier. CISOs should actively participate in shaping their state’s innovation agenda, collaborate with state digital and innovation officers, and lead the charge to help program leaders embrace and securely adopt new technologies.
- Team with the private sector and higher education. CISOs can leverage public-private partnerships and collaborations with local colleges and universities to provide a pipeline of new talent through internships, co-ops, and apprenticeship programs. They could also consider outsourcing some cybersecurity functions to external providers.
Despite funding and talent challenges, the state CISO role is rapidly maturing, and the CISOs themselves are taking on a greater scope of authority. All 50 states have established the CISO’s authority via the legislature, secretary, or CIO. In addition, most states now have documented and approved cybersecurity governance plans—40 states in 2018, compared to just 29 states in 2016. The vast majority of CISOs (90 percent, up from 76 percent in 2016) have extended their scope of authority beyond their own agency to align with all executive agencies in their state government.
Further evidencing their growing mastery of the role, many CISOs have expanded cybersecurity awareness training and security threat assessments. Most states—94 percent in 2018, up from 84 percent in 2016—deliver cybersecurity training to state employees and contractors at least annually. In addition, CISOs are conducting more regular assessments of top security threats. In particular, this year’s survey showed a dramatic rise since 2016 in monthly assessments for Web applications, the top threat experienced by CISOs this year.
States also show they are beginning to take steps to address privacy, an emerging issue related to cybersecurity. Notable in this year’s survey, more states than in previous surveys report having a chief privacy officer (CPO): In 2018, more than a quarter of states had one, compared to less than a fifth in 2016.
Perhaps most encouragingly, cybersecurity is being elevated to state leadership as a key issue on a regular basis. This year’s survey found that CISOs have increased their regular reporting to state leadership. A fifth of state respondents said that they report monthly to the governor, and a third report monthly to the state secretary or deputy secretary. Monthly reporting to business stakeholders has also increased—to 25 percent, up from 10 percent in 2016. And more states are engaging with both business line and technology decision-makers in making strategy decisions—88 percent in 2018, up from 75.5 percent in 2016.
Cyber Risk Services
Deloitte’s cyber risk services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation, and performance objectives through proactive management of the associated cyber risks. Deloitte provides advisory, implementation, and managed cybersecurity services to help our government clients transform legacy security programs to Secure.Vigilant.Resilient.™ cyber risk programs. Deloitte’s demonstrated approach and methodology helps its clients better align security investments with risk priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.
Learn more
Get in touch
- Srini Subramanian
- Principal, Government & Public Services State, Local & Higher Education leader
- Deloitte & Touche LLP
- ssubramanian@deloitte.com
- +1 717 651 6277
