Public Sector Increasingly Relies on CISOs Amid Continued Digital Threats

As state and local governments increasingly maintain digital records instead of physical ones, and more servers than ever hold citizens’ health, financial and personal data, the public sector has become an attractive target for cyberattacks.

The digital threats confronting state and local governments are wide and varied, and the emergence of artificial intelligence has introduced more sophisticated mechanisms for exploiting vulnerabilities. As a result, according to the 2024 Deloitte-NASCIO Cybersecurity Study, nearly every state now employs a chief information security officer to execute a range of key services.

A CISO is a senior executive who manages an organization’s information and technology security. Some of the services for which they are responsible include security management and operations; strategy, governance and risk management; and incident response.

With governments looking to CISOs to lead the effort to protect citizens and systems, the role is rising in prominence, and survey results show the CISO is now firmly established as a central part of most states’ information technology organizations.

The role of the CISO has also become more important in light of recent digital attacks on state governments. For example, in February 2023, the city of Oakland, California, faced a serious ransomware attack that impacted many of its IT systems.

According to Deloitte’s report, 98% of state agencies now depend on a CISO for security management and operations, as well as strategy, governance and risk management. State CISOs also reported a jump in how many are responsible for maintaining data privacy, up to 86% of CISOs offering this service to state agencies in 2024 from 60% in 2022.

As of 2024, 20 states have comprehensive data privacy laws in effect, and survey results revealed that more CISOs are taking on responsibility for privacy than did so in 2022. In some instances, CISOs serve dual roles as both CISO and chief privacy officer, while in other cases, the chief privacy officer reports to the CISO. However, Deloitte found that only 21 states have chief privacy officers.

In addition, CISOs are becoming more involved with generative AI-related developments in many states, as 88% of CISOs reported being involved in generative AI strategy development in 2024 and 96% reported involvement with generative AI security policy development. Despite all of the effort, only 10% of state CISOs said they are very confident their state’s information assets are protected from AI-enabled attacks.

State cybersecurity budgets also pose a challenge, as most cover security management and operations, as well as strategy, compliance and privacy. Fewer cover generative AI governance and security controls. According to the survey, nearly 40% of state CISOs find themselves short of funds to comply with regulatory or legal requirements.

Because demand for cybersecurity experts continues to rise, understaffing and difficulty recruiting and retaining skilled workers continues to be an issue. Nearly half of state CISOs in the survey cited a lack of cybersecurity staffing as a top-five challenge, with another 31% citing inadequate availability of digital professionals.

According to the survey summary, state CISOs have an opportunity to educate employers on the latest technologies and potential threats, especially as new threats are constantly emerging. It is also important that CISOs confirm that there is adequate training and oversight of contractors who are allowed access to the state network, attempting to ensure that the digital practices of any contractors are robust.

Deloitte and NASCIO surveyed enterprise-level CISOs from 50 states and the District of Columbia in spring 2024.