US State CISOs Struggling with Insufficient Cybersecurity Funding

Nearly 40% of US state CISOs believe that their cybersecurity budgets fall short of what they need to keep assets and citizens safe, according to a new report by Deloitte and the National Association of Chief Information Officers (NASCIO).

More than a third do not have a dedicated cybersecurity budget. Four of the 51 state CISOs surveyed revealed that their state IT budgets allocate less than 1% for cybersecurity.

Lack of sufficient cybersecurity budget was cited by 35% of respondents as a top five barrier confronting CISOs in addressing cybersecurity challenges. This represents a substantial increase from 2022, when 25% highlighted insufficient budget as a top five barrier.

These funding issues come despite rising cyber-attacks on US public bodies and increasing demands on their CISOs, with 86% stating that their responsibilities are growing.

This includes a big jump in the proportion of CISOs that are responsible for maintaining data privacy in their state, from 60% in 2022 to 86% in 2024. This is likely due to the introduction of new state privacy laws.

Read now: US Federal Data Privacy Law Introduced by Legislators

There has also been an increase in US states passing legislation on elements of cybersecurity. For example, 35% of states have instituted a cyber-threat information sharing program between state authorities, law enforcement and private entities, up from 23% in 2022.

Srini Subramanian, principal, Deloitte & Touche LLP, commented: “The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself, and CISOs have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.”

Just over half (51%) of the CISOs surveyed said they had between six and 25 cybersecurity professionals on staff, while 45% had 26 or more. In 2022, just 34% had more than 26 cybersecurity professionals on their staff.

Third-Party Breaches the Biggest Threat

Security breaches involving a third party was the biggest cyber-threat faced by state CISOs, cited by 73%. This is significantly higher compared to 2022, which was 44%.

The next biggest threats highlighted by the CISOs was AI-enabled attacks (71%), foreign state-sponsored espionage (67%), phishing, pharming, and other related variants (65%) and vulnerability exploitation (57%).

State CISOs Concerned About AI Threats

Many CISOs expressed concern about the unique security risks associated with AI and gen AI, with 41% either not confident at all (8%) or not very confident (33%) about handling AI-enabled attacks.

A similar proportion (43%) were somewhat confident and 10% very confident.

All but two of the 51 state CISOs were involved in their state’s generative AI (GenAI) security policy development.

Additionally, 21 reported already using GenAI to improve security operations, while another 22 plan to adopt GenAI for this purpose in the next 12 months.

Despite the level of concern around AI, only a quarter of state CISOs cited implementing GenAI security controls in their top five security initiatives for 2024-2025.

The 2024 biennial Deloitte-NASCIO report surveyed state CISOs from all 50 states and the District of Columbia.