Tightening Budgets and AI-Enabled Attacks Stretch State Cyber Defenses
State Chief Information Security Officers (CISOs) across the United States are facing a confluence of challenges as they grapple with the implications of rising artificial intelligence (AI) threats paired with tightening budgets and expanding attack surfaces. Amid these increasingly daunting circumstances, many CISOs express significant concern regarding their preparedness to effectively combat cyber threats.
According to the latest findings from the 2026 NASCIO-Deloitte Cybersecurity study, only 22% of CISOs reported feeling extremely or very confident about the protection of state data from cyber threats. This figure represents a dramatic decline from 48% in 2022. The survey indicates that local government and public higher education sectors are significantly more vulnerable, with 63% of CISOs expressing a “not very confident” stance regarding the cybersecurity of these institutions. This lack of confidence marks an alarming increase from the 35% recorded just four years prior.
Michael Wyatt, a cyber principal at Deloitte and co-author of the study, elaborates on the situation. He notes that the complexity of the threat landscape has significantly changed in recent years. “AI-accelerated attacks, more sophisticated threats, third-party vendor risks, and budget constraints are creating a cumulative impact,” Wyatt states. “This shift is a substantive cause of the declining confidence levels among state CISOs.”
As states recognize the potential of AI to amplify emerging threats as well as strengthen their cyber defenses, they are simultaneously trying to adapt to these new realities. While nearly all states are either currently utilizing or planning to integrate generative AI into their cybersecurity frameworks, only 2% of state CISOs feel “very confident” in their ability to defend against AI-enabled attacks—a drop from 10% in 2024. Furthermore, a concerning 47% of CISOs reported being “not very confident” or “not confident at all” regarding their defenses against these advanced threats, up from 41% just two years prior.
Concerns about AI extend beyond merely its enhancing capabilities for potential attackers. A state CISO voiced an alarming reality during the NASCIO discussions, explaining how generative AI enables adversaries to execute highly targeted phishing scams, automate exploitation of vulnerabilities, and quickly identify and exploit known security weaknesses. However, when effectively implemented, AI can also furnish state IT security teams with enhanced capabilities for real-time threat analysis, automation of mundane tasks, and more rapid incident response, emphasizing the importance of strong governance and risk management practices.
On a more optimistic note, states that have adopted AI for cybersecurity are already seeing significant returns on investment. For example, those that are incorporating AI into their security operations centers are using it effectively for triage, alert summaries, and enrichment of Security Information and Event Management (SIEM) systems. Wyatt acknowledges, “If adversaries are deploying these advanced tools, defenders must have access to similar resources.” Currently, 23 states report their use of generative AI in security operations.
The study also sheds light on the critical risks arising from third-party vendors who may activate AI features in existing software without transparent communication to their clients. Wyatt emphasizes the need for clarity from vendors regarding the AI capabilities that are being turned on, as well as conducting thorough security reviews prior to activation. Additionally, states should have the option to opt-out of these features if they do not align with their security posture.
Concerns regarding third-party breaches are paramount, with 78% of state CISOs citing them as a major worry. Legacy infrastructure continues to pose a significant challenge in safeguarding state data, noted by 65% of CISOs, with the complexity and sophistication of emerging threats compounding these difficulties.
In light of these evolving complexities, successful CISOs continue to employ a systematic approach to cybersecurity. By cataloging legacy systems and assessing them based on exposure and criticality, they prioritize addressing the most high-risk areas. This strategic methodology also includes a wariness of merely relocating vulnerabilities during cloud migrations—efforts should ultimately bolster risk reduction rather than merely shifting risks from one environment to another.
Constant budgetary challenges further complicate the situation. Only 22% of states anticipate their cybersecurity budgets will increase by 6% or more in the coming year, a stark decrease from the 40% reported in 2024. Alarmingly, 16% of CISOs noted reductions in their budgets this year, which is a significant shift from two years ago when no agencies reported budget cuts. The depletion of pandemic-era federal aid, coupled with the recent toll of transitioning the Multi-State Information Sharing and Analysis Center (MS-ISAC) to a paid membership model, has effectively halved the number of participating states, according to Wyatt.
With questions surrounding the future of funding through programs like the State and Local Cybersecurity Grant Program still unresolved in Congress, with many CISOs describing the aid as “inadequate,” this funding shortfall underscores the immense pressure on state cybersecurity initiatives. Consequently, 49% of CISOs cite developing “metrics to measure and report effectiveness” as their top cybersecurity objective for 2026, a notable increase from just 15% in 2022. They aim to provide compelling evidence to skeptical lawmakers who may lack a comprehensive understanding of the latest technologies and their implications for state security.
The states that successfully secure funding leverage well-planned multi-year roadmaps that align with budgets, ensuring annual reporting of outcomes in terms of mission continuity rather than solely focusing on incidents mitigated.
In response to the continuously changing threat landscape, many states are adopting a “whole-of-state” cybersecurity model, which extends services to counties, municipalities, K-12 districts, and critical infrastructure operators. Wyatt highlights Texas as a noteworthy example of this comprehensive approach, noting that the Texas Cyber Command operates independently of federal funding, relying solely on state appropriations. This model is prompting other states to contemplate how they can enhance their cybersecurity investment strategies.
The evolving nature of the CISO role has not gone unnoticed. CISOs are becoming increasingly recognized as strategic partners in governance and risk management. Currently, every state CISO is offering these essential services to state agencies, a significant increase from 81% in 2022. Meanwhile, the proportion of CISOs supervising emerging technologies has surged from 38% to 69%, with 76% now responsible for safeguarding state systems against AI threats, and 67% overseeing responsible AI deployment by public employees. Wyatt commends this elevation of the CISO role, noting that many now hail from CIO, CTO, or business backgrounds, indicating a shift towards valuing business acumen, regulatory understanding, and cross-functional collaboration over purely technical competencies. As cybersecurity challenges continue to evolve, the integration of these diverse skill sets will be crucial in fortifying state defenses against a myriad of threats.