Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Click Here to Read the Report
May 04 2026
Security

NASCIO 2026 Midyear: State CISOs Report Falling Confidence as AI Threats Accelerate

Rising artificial intelligence-enhanced attacks and tight budgets push states toward broader, data-driven cybersecurity strategies.
Mickey McCarter
by

Mickey McCarter is the senior editor of StateTech Magazine.

State government CISOs are growing significantly less confident in their ability to protect government systems as cyberthreats intensify and budgets tighten, according to the 2026 NASCIO-Deloitte Cybersecurity Study released recently.

Just 26% of state CISOs said they are “extremely” or “very” confident their state’s information assets are secure, down sharply from 48% in 2022, the biennial survey found.

The findings, unveiled at the National Association of State Chief Information Officers Midyear Conference, reflect a rapidly evolving threat landscape shaped by artificial intelligence, expanding digital ecosystems and growing financial pressure on state IT organizations.

“The cyberthreat landscape is not improving,” said Mike Wyatt, a Deloitte partner, during a panel discussion at the conference. “The confidence in the systems has dropped dramatically.”

Click the banner below for tips to quantify risk to justify cybersecurity spending.

x_security_q325_animated_click_desktop_01 x_security_q325_animated_click_mobile_01

 

Funding Pressures, Not Just Threats, Driving Confidence Decline

State CISOs say the drop in confidence is not solely due to more sophisticated attacks; it is also tied to shifting financial realities.

Anthony O’Neill, CISO for Massachusetts, pointed to “downward pressure” on funding tied to federal and national-level changes.

“One of the things that we’ve seen over the past year is the general pressure coming from Washington on finances,” O’Neill said. “It’s disrupted a lot of funding sources for states.”

That strain is reflected in the survey data: 16% of CISOs reported budget reductions in 2026, compared with none in 2024, while fewer reported meaningful budget increases.

The result, O’Neill said, is uneven preparedness across states and local governments, and a hit to overall confidence.

AI Is Changing the Game, but Not the Fundamentals

Artificial intelligence is reshaping cybersecurity, but not in the way some might expect.

“The fundamentals of cyber have not changed,” said John Godfrey, CISO for Kansas. “The issue is really just about the speed by which we need to take action.”

AI is enabling attackers to operate at machine speed, widening what Godfrey described as an already significant “tech gap” between defenders and adversaries. That dynamic is making it harder for human-led security teams to keep pace.

The study underscores that dual reality: AI is both accelerating threats and becoming a key tool for defense. Nearly all CISOs reported involvement in developing generative AI security policies, and many are using AI to improve threat detection and response.

READ MORE: Here is a guide to AI governance for state and local agencies.

Third-Party Risk Expands the Attack Surface

As states modernize systems and rely more on external vendors, CISOs are increasingly focused on third-party risk.

“We’ve made significant investment in that area,” O’Neill said. “But you still own the risk as an organization.”

That means states must strengthen partnerships and information-sharing with vendors, he added, as digital transformation requires constant data exchange.

Godfrey noted that third parties are effectively part of the external threat landscape, alongside traditional adversaries. He pointed to emerging risks such as fraudulent job applicants using AI-generated identities and coordinated attacks targeting managed service providers, which can cascade across multiple jurisdictions.

Many trusted third party partners are aware of the scope of the challenges ahead and acknowledge the requirement for vigilance.

“The 2026 NASCIO-Deloitte Cybersecurity Study underscores the immense pressure on state and local leaders as they navigate ongoing resource constraints and increasingly sophisticated, AI-driven threats. At Zscaler, we’re focused on supporting CIOs and cybersecurity professionals as they champion resilience and drive innovative strategies to protect critical public infrastructure,” Drenan Dudley, head of State, Local, Tribal, and Territorial Government Partnerships and Senior Advisor for Global Cyber Policy at Zscaler, told StateTech.

Mike Wyatt
The cyberthreat landscape is not improving. The confidence in the systems has dropped dramatically.”

Mike Wyatt Cyber Principal, Deloitte

Whole-of-State Cybersecurity Gains Momentum

The growing complexity of interconnected systems is driving more states toward a whole-of-state approach to cybersecurity, in which state governments extend support to local entities, schools and critical infrastructure.

The survey found roughly one-fifth of states are moving in that direction.

In practice, however, implementing that model can be challenging.

O’Neill described Massachusetts’s approach as a mix of coordination and shared services, including a statewide cyber incident response team that meets regularly and supports local governments when possible.

But engagement varies.

“Sometimes an insurance carrier steps in and locks us out of the process,” he said.

In Kansas, where local governments operate with significant autonomy, Godfrey said, the state relies on mandatory incident reporting and voluntary collaboration.

“We can’t come in and say, ‘I’m here to take over,’” he said. “We ask, ‘Do you want assistance?’ and then we have a deeper conversation about what we can offer.”

DIVE DEEPER: Governments turn to whole-of-state cybersecurity to scale services.

Metrics Become Critical as Budgets Tighten

With funding under pressure, CISOs are increasingly focused on proving the value of cybersecurity investments.

Implementing effectiveness metrics was the top priority identified in the study, with 49% of CISOs naming it a leading initiative.

For O’Neill, that means translating technical risks into business outcomes.

“How are you bending that curve of vulnerabilities?” he said. “This is how security improves and strengthens over time.”

Clear metrics — often delivered through dashboards — help communicate risk to lawmakers and justify continued investment, especially as cybersecurity shifts from a technical concern to an enterprise risk issue.

“The data tells the story,” Godfrey added. “It helps people understand the impact of what we’re doing.”

Critical Infrastructure and Workforce Gaps Remain Concerns

Beyond state systems, CISOs are grappling with how to protect critical infrastructure, much of which falls outside their direct authority.

Godfrey said Kansas has focused on building relationships and information-sharing networks across sectors rather than imposing mandates.

“We don’t have all the answers,” he said. “But we’re trying to be stronger together.”

At the same time, workforce and resource constraints continue to challenge state cybersecurity programs, even as responsibilities expand to include AI governance, risk management and cross-jurisdiction coordination.

Taken together, the study’s findings paint a picture of a cybersecurity landscape growing more complex and more urgent, even as resources fail to keep pace.

For state CISOs, the challenge is no longer just defending systems, it’s coordinating across entire ecosystems, adapting to AI-driven threats and making the case for sustained investment.

“This is not an IT issue,” Wyatt said. “This is an enterprise risk management issue.”

Bookmark this page for our coverage of the NASCIO 2026 conference.

eyecrave productions/Getty Images

More On

Related Articles