Many state information and security officials say they do not have the budget, resources, personnel or expertise to have full confidence in their ability to protect their government networks from cyberattacks, according to a new Deloitte & Touche survey of officials in all 50 states. and the District of Columbia.
“The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the functioning of government itself,” said Srini Subramanian, director of Deloitte & Touche LLP and a global leader in government and public services business consulting. “And CISOs have an increasingly challenging mission: making technology infrastructure resilient in the face of ever-increasing cyber threats. »
THE biennial report on cybersecurity, published Monday, describes the origin of the new threats and the vulnerabilities of these teams.
Governments are relying more on servers to store information or transmit it via the Internet of Things or connected sensors. The infrastructure of systems such as public transportation and electricity also relies heavily on technology, and all connected online systems create more opportunities for attack.
The emergence of AI also creates new ways for bad actors to exploit vulnerabilities, as it facilitates phishing scams and audio and visual deepfakes.
Deloitte found encouraging data that shows the role of the state’s chief information and security officer has been prioritized in each state’s government tech team, and statutes and laws have been introduced in some States to give more authority to CISOs.
In recent years, CISOs have taken charge of the vast majority of security management and operations, strategy, governance, risk management and incident response for their state, the report said.
But despite the growing weight of these roles, some CISOs surveyed said they don’t have the resources to have confidence in their team’s ability to manage old and new cybersecurity threats.
Nearly 40% said they don’t have enough funds for projects that meet regulatory or legal requirements, and nearly half said they don’t know what percentage of their state’s IT budget is dedicated to cybersecurity.
Talent was another issue, with about half of CISOs saying they were understaffed when it came to cybersecurity, and 31% saying there was “insufficient availability” of professionals to perform these tasks. The survey, however, shows that CISOs reported better skills of their staff in 2024 compared to 2020.
Staffing CISOs themselves, due to burnout, has been a growing problem since the pandemic, according to the report. Since the 2022 survey, Deloitte noted that nearly half of all states have seen turnover of their security chiefs, and the median tenure is now 23 months, up from 30 months last time. investigation.
When it came to generative AI, CISOs seemed to see both the opportunities and the risks. Respondents cited generative AI as one of the newest threats to cybersecurity, with 71% saying they believe it poses a “high” threat; 41% of those surveyed said they did not trust their team to be able to handle them.
States are on their own when it comes to AI and privacy regulation
Although they believe AI poses a threat, many teams have also reported using the technology to improve their security operations. Twenty-one states already use some form of AI, and 22 states will likely begin using it within the next year. As for national legislation on AIthis is examined on a case-by-case basis.
A CISO said in the report that his team was “in the discovery phase with an executive order to study the impact of generation AI on security in our state”; another said they had “created a committee that reviews use cases, policies, procedures, and best practices for Generation AI.”
CISOs face these budget and talent constraints as they aim to address new threats and secure aging technology systems that leave them vulnerable.
The report outlines some tactics tech departments could use to address these challenges, including leveraging government partners, working creatively to increase budgets, diversifying their talent pipeline, continuing policy conversations about AI, and promoting the role of CISOs in the digital transformation of government operations.
GET THE MORNING NEWSPAPERS.
