State CISOs have gained considerable influence since the role first appeared—but crucial funding and talent challenges remain. Three bold actions can help today’s state CISOs find the resources to safeguard their state’s IT infrastructures.
US state chief information security officers (CISOs) have an opportunity to pursue three “bold plays” that can help them address persistent budgetary and talent challenges to improving their state’s cybersecurity posture, according to a new survey by Deloitte & Touche LLP and the National Association of State Chief Information Officers (NASCIO).
Read the 2016 survey
Explore the Government and public services collection
Subscribe to receive related content
State CISOs have increased in visibility and influence since the role first appeared almost a decade ago, says the 2018 Deloitte-NASCIO Cybersecurity Study—States at risk: Bold plays for change. Yet many still struggle to secure funding for cybersecurity initiatives and find qualified talent. To help address these challenges, state CISOs can leverage their increased visibility and influence to:
Despite funding and talent challenges, the state CISO role is rapidly maturing, and the CISOs themselves are taking on a greater scope of authority. All 50 states have established the CISO’s authority via the legislature, secretary, or CIO. In addition, most states now have documented and approved cybersecurity governance plans—40 states in 2018, compared to just 29 states in 2016. The vast majority of CISOs (90 percent, up from 76 percent in 2016) have extended their scope of authority beyond their own agency to align with all executive agencies in their state government.
Further evidencing their growing mastery of the role, many CISOs have expanded cybersecurity awareness training and security threat assessments. Most states—94 percent in 2018, up from 84 percent in 2016—deliver cybersecurity training to state employees and contractors at least annually. In addition, CISOs are conducting more regular assessments of top security threats. In particular, this year’s survey showed a dramatic rise since 2016 in monthly assessments for Web applications, the top threat experienced by CISOs this year.
States also show they are beginning to take steps to address privacy, an emerging issue related to cybersecurity. Notable in this year’s survey, more states than in previous surveys report having a chief privacy officer (CPO): In 2018, more than a quarter of states had one, compared to less than a fifth in 2016.
Perhaps most encouragingly, cybersecurity is being elevated to state leadership as a key issue on a regular basis. This year’s survey found that CISOs have increased their regular reporting to state leadership. A fifth of state respondents said that they report monthly to the governor, and a third report monthly to the state secretary or deputy secretary. Monthly reporting to business stakeholders has also increased—to 25 percent, up from 10 percent in 2016. And more states are engaging with both business line and technology decision-makers in making strategy decisions—88 percent in 2018, up from 75.5 percent in 2016.