Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
State cybersecurity leaders have their work cut out for them—and nowhere near enough cash to do it, according to a recent report by Deloitte and the National Association of State Chief Information Officers (NASCIO).
While every state now has a chief information security officer, and the survey found 98% have some formal authority, 40% of responding representatives for those CISO’s offices reported that they did not have the budgetary resources “to keep assets and citizens safe.” They also reported limited visibility into their own funding, with 48% saying they couldn’t “readily attribute from available financial data how much of their states’ IT budget is allocated to cybersecurity,” according to Deloitte.
Deloitte also found just 6% of CISOs said they have an allocation of 10% or more of their state’s overall funding for IT functions, though 10% tends to be the baseline for federal agencies’ cybersecurity spend. Four CISOs reported not even having a dedicated budget.
While some reported tapping the State and Local Cybersecurity Grant Program, a federal grant initiative, the CISOs broadly said it wasn’t enough to offset lack of funding elsewhere. One pointedly told Deloitte that the money wasn’t enough to secure aging water and wastewater facilities, which federal agencies have repeatedly warned are susceptible to cyberattacks.
“This level of funding is not enough to make a dent on the needs across the state,” that CISO said, according to the report. “It is off by an order of magnitude, at least if you include critical infrastructure such as drinking water and wastewater.”
Top obstacles reported by CISOs included the inadequacy of legacy systems and solutions against emerging threats, as well as the increasing sophistication of their criminal opponents. Around half reported that staffing difficulties were in their top five challenges.
Another warning sign: The report found the median tenure of a state-level CISO has dropped dramatically. Deloitte researchers wrote that since a prior survey in 2022, 23 states had someone different in the CISO role. The median tenure was down from 30 to 23 months.
State CISOs are continuing to gain new responsibilities as well. From 2022 to 2024, the survey showed, the percentage of CISOs responsible for handling privacy rose from 60% to 86%. That mirrors a spike in new state-level laws and regulations concerning data privacy across the country in recent years.
CISOs may be dropping some other tasks to compensate, according to Deloitte, as the percentage of those responsible for physical security dropped from 54% to 35% from 2022 to 2024.
Respondents said their top priorities for 2025 were aligning cybersecurity initiatives with business ones, enterprise identity and access management, and risk assessments. Other top priorities included cloud, support for local governments, governance, and improving monitoring.