Security

NASCIO 2024: Cybersecurity Study Spotlights Growing Authority, Emerging Threats

States are tapping their CISOs’ expertise in digital transformation and generative artificial intelligence.

Mickey McCarter is the senior editor of StateTech Magazine.

The biennial cybersecurity study produced by the National Association of State Chief Information Officers and Deloitte notes a growing role for state CISOs in the face of emerging threats to government enterprise.

At the NASCIO 2024 annual conference Monday, state CISOs discussed the 2024 Deloitte-NASCIO Cybersecurity Study. They said that the CISO role has been embraced more in the past two years, and that cybersecurity budgets have grown.

Addressing a conference panel, Virginia CISO Michael Watson, the nation’s longest serving CISO, said his state has strengthened its cybersecurity posture over the past several years: “We’re very centralized. We are tied to an infrastructure model ... that allows us to build security into a lot of areas.”

The Deloitte-NASCIO Cybersecurity Study reflected CISOs’ increased concerns about budget compared with two years ago, when many federal grant programs were helping to improve the bottom line, and about the influence of artificial intelligence (AI), which has exploded in use since 2022.

The report explored five big themes:

1. Every state now has a CISO, and 98% of state CISOs have their authority established by some formal mechanism.

2. A majority (88%) of state CISOs are involved in strategy development for generative AI. But 41% said they are not very confident or not confident at all about protecting states from AI threats.

3. Nearly 40% of CISOs say funding falls short of what they need to keep assets and citizens safe. CISOs are generally unsatisfied with their level of visibility into budgets and spending.

4. CISOs reported that third-party security breaches, AI-aided attacks and foreign state-sponsored espionage are the top three cyberthreats facing states.

5. Nearly half of CISOs said cybersecurity staffing is a top-five challenge.

Click the banner below to explore cyber resilience for government IT enterprise.

CISOs Embrace Role in Digital Transformation and Generative AI

Deloitte and NASCIO made specific recommendations or “calls to action” for each of the five themes. Regarding state CISO authority, CISOs were particularly pleased with NASCIO’s call to “promote the CISO’s role in digital transformation.”

“Security has to be up front in the discussion,” Watson told the conference. CISOs must know a lot about various aspects of government operations, and as such they can be a valuable resource when planning strategic direction, he added.

New Hampshire CISO Ken Weeks said his state looks at its government IT strategy through a Venn diagram of cybersecurity, privacy and accessibility. “We make sure that everything we do lives in that intersection,” he said.

Regarding strategy development for generative artificial intelligence, Watson said CISOs were heavily involved.

“Security is one of the perfect use cases” for generative AI, he said at the conference, and CISOs have a high degree of confidence in handling generative AI tools deployed in their security environment.

Watson said that people were too quick to worry about generative AI threats. “The value proposition is ginormous, but we are all worried about what could happen,” he said.

Weeks said it was important to start the discussion: “He who writes the draft gets to control the conversation.” Working with New Hampshire Director of User Experience Kate Michener, Weeks drafted an AI code of ethics for the governor’s approval. Then, they wrote a policy for state AI use cases, which was fairly basic.

“Our adoption is going to be at the pace of its insertion and inherent presence in the tools that we all use. I’m not going to go out and buy some AI, “ he said.

Click the banner below to follow StateTech on X, formerly known as Twitter.

Deloitte-NASCIO Study Calls for Dedicated Cybersecurity Budgets

“Funding is going to have to increase as long as the bad guys are out there doing what they are doing. We are always going to need resources,” said NASCIO Deputy Executive Director Meredith Ward during the conference panel.

More than half of states have a dedicated budget line item in their state budgets, according to the Deloitte-NASCIO study, which it views as good.

“In our 2024 survey, 35% of respondents cited the lack of a cybersecurity budget as a top-five challenge,” the report notes. “Especially with stakes so high, it’s a challenge to protect the whole range of critical assets; it’s even harder to do so without a commitment that funding and staffing will be in place when needed.”

Weeks advocated viewing cybersecurity through the lens of risk management for delivery of government services: “A lot of people understand risk management. They may assume that cyber is technical, and they don’t understand it. So, it’s a way to have a plain-language conversation.”

New Hampshire strives to take a whole-of-state approach to cybersecurity, he added.

Watson used an analogy to drive home the importance of cybersecurity. “You no longer buy a house without locks,” he said.

The study surveyed state CISOs on the biggest cyberthreats facing state governments. The top four threats are:

73% - Security breaches involving a third party

71% - AI-enabled attacks as a threat vector

67% - Foreign state-sponsored espionage

65% - Phishing, pharming and related attacks

“Any technology implementation is integrated with someone else’s technology environment,” Watson said. “Integration with third parties is going to continue. We have to make sure that we are aggressive with the controls for partners that we bring to the table.”

Keep this page bookmarked for our coverage of the NASCIO 2024 Annual conference. Follow us on X, formerly known as Twitter, at @StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO24.

traveler1116/Getty Images