2014 Deloitte-NASCIO cybersecurity study
State governments at risk: Time to move forward
The third biennial Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study, conducted in the spring of 2014, assessed the state of cybersecurity initiatives administered by state chief information security officers (CISOs). CISOs from 49 states participated in the survey and 186 elected and appointed business leaders from a broad cross-section of states responded to a parallel survey. The study highlights the challenges that states and chief information officers (CIOs)/CISOs face in protecting states’ critically important systems and data. The survey results call for greater communication and collaboration with business leaders.
States collect, share and use large volumes of citizen information, making them a growing target for sophisticated attacks. Communicating cybersecurity risks and the potential impact to the business and elected state leaders can help with addressing current challenges defined in the study.
– Srini Subramanian, principal and leader of Deloitte & Touche LLP’s Cyber Risk Services practice to state governments
Key findings of the 2014 Deloitte-NASCIO Cybersecurity Study
- Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.
- Budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small – in the budgets. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs – it continues to be the top barrier for state CISOs. In addition, survey responses show that there may be additional barriers to implementing successful initiatives: namely the lack of well-thought-out and fully vetted cybersecurity strategy and priorities.
- Cyber complexity challenge: State information system house a wide range of sensitive citizen data, making them especially attractive targets for cyber-attacks. CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. They need to stay abreast of existing and developing threats to establish and maintain the security of an information environment that now increasingly extends from internal networks to the cloud and mobile devices. State officials appear more confident than CISOs in the safeguards against external cyber threats, perhaps a result of ineffective communication of risks and impacts.
- Talent crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. Private sector opportunities and salaries are traditionally better that those offered by government. Not surprisingly, state CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career paths and find creative ways to build their cybersecurity teams. Furthermore, as states turn to outsourcing and specialist staff augmentation as a means to bridge their cybersecurity talent gap, it’s imperative for CISOs to manage third-party risks effectively.
Despite continuing challenges, CISOs are centralizing and standardizing security practices, launching broad-based awareness campaigns, and looking for ways to attract the right talent to join them in their fight against cybercrime and protecting states’ critical infrastructure.
The study compares the responses from the CISOs and the state officials, along with the relevant results from the 2010 and 2012 Deloitte-NASCIO cybersecurity studies. These comparisons provide additional context for evaluating the implications of this year’s results.
Time to move forward infographic
Use the expand or full screen icons above to enlarge