LEXINGTON, Ky., Oct. 14, 2020 — Today Deloitte and The National Association of State Chief Information Officers (NASCIO) released their 2020 Cybersecurity Study, “States at Risk: The Cybersecurity Imperative in Uncertain Times.” The national study is based on responses from 51 U.S. state and territory enterprise-level chief information security officers (CISOs). This is the 10th year of this study and the sixth iteration, with a record number of state and territory CISO’s participating this year.
The key themes in this year’s study are:
- COVID-19 has challenged continuity and amplified gaps in budget, talent and threats, and the need for partnerships.
- Collaboration with local governments and public higher education is critical to managing increasingly complex cyber risk within state borders.
- CISOs need a centralized structure to position cyber in a way that improves agility, effectiveness and efficiencies.
The report also details focus areas for states during the COVID-19 pandemic. While the pandemic has highlighted the resilience of public sector cyber leaders, it has also called attention to long-standing challenges facing state IT and cybersecurity organizations such as securing adequate budgets and talent; and coordinating consistent security implementation across agencies.
These challenges were exacerbated by the abrupt shift to remote work spurred by the pandemic. According to the study:
- Before the pandemic, 52% of respondents said less than 5% of staff worked remotely.
- During the pandemic, 35 states have had more than half of employees working remotely; nine states have had more than 90% remote workers.
“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”
“The pandemic forced state governments to act quickly, not just in terms of public health and safety, but also with regard to cybersecurity,” said Srini Subramanian, principal, Deloitte & Touche LLP, and state and local government advisory leader. “However, continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber threats.”
State governments’ longstanding need for digital modernization has only been amplified by the pandemic, along with the essential role that cybersecurity needs to play in the discussion. Key takeaways from the 2020 study include:
- Fewer than 40% of states reported having a dedicated budget line item for cybersecurity.
- Half of states still allocate less than 3% of their total information technology budget on cybersecurity.
- CISOs identified financial fraud as three times greater of a threat as they did in 2018.
- Overall, respondents said they believe the probability of a security breach is higher in the next 12 months, compared to responses to the same question in the 2018 study.
- Only 27% of states provide cybersecurity training to local governments and public education entities.
- Only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program during the past year, with 65% reporting limited collaboration.
The 2020 study also revisits the three “bold plays” of the “2018 Deloitte–NASCIO Cybersecurity Study,” covering funding, innovation and collaboration, to assess progress on these strategic issues. While CISOs have made progress in the intervening years, more is needed.
The study is based on responses from U.S. state and territory enterprise-level CISOs. CISO participants answered 61 questions designed to characterize the enterprise-level strategy, governance and operation of security programs.