Many state information and security officials say they do not have the budget, resources, staff or expertise to have full confidence in their ability to protect their government networks from attacks. cyberattacks, according to the new Deloitte-NASCIO cybersecurity study conducted with officials from all 50 countries. States and DC
“The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the functioning of government itself,” said Srini Subramanian, director of Deloitte & Touche LLP and a global leader in government and public services business consulting. “And CISOs have an increasingly challenging mission: making technology infrastructure resilient in the face of ever-increasing cyber threats. »
THE biennial cybersecurity report explained where new threats are coming from and what vulnerabilities these teams have.
Governments are relying more on servers to store information or transmit it via the Internet of Things or connected sensors. The infrastructure of systems such as public transportation and electricity also relies heavily on technology, and all connected online systems create more opportunities for attack.
The emergence of AI also creates new ways for bad actors to exploit vulnerabilities, as it facilitates phishing scams and audio and visual counterfeits.
Deloitte found encouraging data that shows the role of the state’s chief information and security officer has been prioritized in each state’s government tech team, and statutes and laws have been introduced in some States that give more authority to CISOs.
In recent years, CISOs have taken charge of the vast majority of security management and operations, strategy, governance, risk management and incident response for their state, the report said.
But despite the growing weight of these roles, some CISOs surveyed said they don’t have the resources to have confidence in their team’s ability to manage old and new cybersecurity threats.
Nearly 40% said they don’t have enough funds for projects that meet regulatory or legal requirements, and nearly half said they don’t know what percentage of their state’s IT budget is dedicated to cybersecurity.
Talent is another issue: about half of CISOs say they are understaffed when it comes to cybersecurity, and 31% say there is an “insufficient availability” of professionals to perform these tasks. The survey, however, shows that CISOs reported better skills of their staff in 2024 compared to 2020.
Staffing CISOs themselves, due to burnout, has been a growing problem since the pandemic, according to the report. Since the 2022 survey, Deloitte noted that nearly half of all states have seen turnover of their security chiefs, and the median tenure is now 23 months, up from 30 months last time. investigation.
When it came to generative AI, CISOs seemed to see both the opportunities and the risks. Respondents cited generative AI as one of the newest threats to cybersecurity, with 71% saying they believe it poses a “high” threat; 41% of those surveyed said they did not trust their team to be able to handle them.
Although they believe AI poses a threat, many teams have also reported using the technology to improve their security operations. Twenty-one states already use some form of AI, and 22 states will likely begin using it within the next year. As for national legislation on AIit is studied on a case by case basis.
One CISO said in the report that his team was “in the discovery phase with an executive order to study the impact of Generation AI on security in our state,” while another said they had “created a committee that is examining use cases, policies, procedures and best practices for Generation AI.
CISOs face these budget and talent constraints as they aim to address new threats and secure aging technology systems that leave them vulnerable.
The report outlines some tactics tech departments could use to address these challenges, including leveraging government partners, working creatively to increase budgets, diversifying their talent pipeline, continuing policy conversations about AI, and promoting the role of CISOs in the digital transformation of government operations.