State CISOs across the United States are facing an uphill battle as their responsibilities continue to expand while resources remain insufficient to meet the growing demands. According to a newly released biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO), the trend of dedicated CISO offices for every state and the District of Columbia began in the early 2000s with the rise of the Internet and the development of citizen-facing applications.
The attractiveness of state governments as cyber targets is highlighted by the vast amount of data they collect, share, and utilize on their residents, ranging from birth records to school and health information. This comprehensive database of information makes state systems prime targets for malicious cyber actors. State CISOs are tasked with building and managing statewide IT security programs, managing cyber-risks and incident response efforts, ensuring compliance with regulations, and more. However, they face similar challenges to their corporate counterparts, including limited resources and personnel.
The Deloitte/NASCIO report reveals that many state CISOs are experiencing an increase in responsibilities related to data privacy, risk management, and other areas, yet they lack the necessary funds and staff to effectively address these growing demands. The comparison between state systems and the private sector is stark, with financial services institutions boasting thousands of cybersecurity employees, while 80% of states report having anywhere from five to 50 cybersecurity staff members. This discrepancy underscores the challenge that state CISOs face in accomplishing their goals with limited resources.
Despite these challenges, state CISOs are taking on more responsibilities than ever before, with a focus on providing support to state agencies in various areas including strategy, governance, risk management, security operations, incident response, and network infrastructure. The report indicates that 86% of state CISO offices now handle data privacy, a significant increase from just two years ago, possibly in response to new data privacy regulations.
Budget constraints and staffing shortages remain major obstacles for state CISOs, with most offices lacking adequate resources to meet their expanding workloads. Many state CISOs struggle to justify their cybersecurity programs to leadership and face difficulty in obtaining sufficient budget approval beyond compliance mandates. Additionally, more than half of state CISOs report that their staff lack the necessary competencies to address the demands of the job.
The underlying issues faced by CISOs, whether in the public or private sector, are consistent across the board, as security leaders struggle with budget constraints and justifying the importance of their programs. Pete Nicoletti, global field CISO at Check Point Software, emphasizes the importance of involving non-security personnel in the security process to bridge the gap between security leaders and their colleagues. Some states, like Texas, have implemented innovative approaches to address talent issues and enhance collaboration between academia, the private sector, and government in cybersecurity initiatives.
In conclusion, state CISOs play a critical role in safeguarding sensitive data and mitigating cyber risks for their respective states. However, they face significant challenges due to limited resources, budget constraints, and staffing shortages. Addressing these issues will require a concerted effort from state governments, private sector partners, and academia to support and empower state CISOs in their mission to protect critical infrastructure and citizen information.