More than half of U.S. chief information security officers (CISOs) in a new Deloitte study have confidence in outsourcing security operations center tasks, and greater than 60% are confident in the cybersecurity services of third-party vendors such as managed security service providers (MSSPs).
The study, State Cybersecurity in a Heightened Risk Environment, is a joint effort between Deloitte and the National Association of State Chief Information Officers (NASCIO). It reveals that CISOs throughout the U.S. gained considerable strength and authority over the past few years as they moved operations and services to the cloud and accelerated digital transformations.
Even though cybersecurity is top-of-mind for state CISOs, budgets have not followed suit. While 30 U.S. states have increased their cybersecurity budgets from 2021 to 2022, most still allocate only 2% and 10% of their budgets to cybersecurity efforts, according to the study.
Staffing a Top Concern of CISOs
Here are 10 of the survey’s key findings:
- The lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
- Headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 60% report gaps in competencies among their personnel.
- It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions.
- All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
- More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
- More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
- CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
- Emerging technologies present new opportunities. CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
- State CISOs confirm that many applications have migrated to the cloud.
- Cloud computing, artificial intelligence and robotic process automation have enabled states to further enhance digital modernization in service of their missions and constituents.
Further Insights From The Study
Five additional takeaways from the survey include:
- Many state CISOs identified the drafting and implementation of the Zero Trust framework as a key initiative.
- CISOs say that malware, ransomware and phishing attempts continue to present security challenges. Concern among CISOs about foreign state-sponsored espionage has also risen significantly.
- CISOs found that the three leading causes of cyber incidents remain web applications, malicious code and financial fraud. However, CISOs note a rise in cyber incidents involving foreign state-sponsored espionage, zero-day attacks and attacks against cloud platforms.
- Nearly one-third of state CISOs say that state agencies manage cyber incidents on their own.
- State CISOs are starting to incorporate diversity, equity and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion.
Adding perspective to the survey results, Srini Subramanian, principal, Deloitte & Touche LLP, said:
"Deloitte's global risk advisory leader for government and public services. State CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next generation of highly capable cyber talent."
