Amid tight budgets and talent gaps, the job of state technology chief just keeps expanding

State chief information security officers face an ever-growing list of responsibilities and multiplying threats. But they must navigate those challenges amid talent gaps, tight budgets and a lack of dedicated funds for cybersecurity, according to a recent survey of state CISOs.

About 86% of respondents said their role has expanded to include maintaining data privacy, up from 60% in 2022. And more are overseeing a wide swath of technological and business processes, which also includes security management and operations, network and infrastructure, and incident response.

The responses are summarized in a report released this week by the National Association of State Chief Information Officers and the consulting firm Deloitte, which attributes the rise of data privacy to an increase in state laws and statutes aimed at protecting consumer’s information. As government becomes increasingly digital, the CISO role will only keep growing, concludes the report.

One area officials are certain to see that growth is in cybersecurity. Thanks to historic federal funding, states are in the midst of implementing a whole-of-state cybersecurity strategy, which relies on better information sharing and partnerships with localities. State CISOs will likely find themselves with even more to do as local governments turn to them for assistance in dealing with cyberattacks, especially on critical infrastructure.

“Even though they may not have direct control over the local governments and direct governance over the local governments, the governor's office may expect the state level CISO to do something about [an attack], because they are the ones with some authority,” said Srini Subramanian, a principal at Deloitte & Touche LLP and a report co-author, in an interview.

It won’t be easy for CISOs to navigate these ever-expanding responsibilities, given budget constraints. More than half (51%) of CISOs surveyed—from all 50 states plus Washington, D.C.—said they have adequate funding with which to do their jobs, but they also report a lack of visibility into their own budgets and the overall cyber spend. 

The majority—63%—have their authority established under state statute, but almost half do not know what percentage of the state IT budget is dedicated to cybersecurity, and 39% said they do not have a dedicated cybersecurity budget line item.

What that means, Subramanian said, is that CISOs are confident they can go to lawmakers and ask for one-off funding to deal with threats, vulnerabilities or cleanup from a breach, but getting sustained funding is an uphill challenge. CISOs have resorted to a bit of creativity in funding requests, including an abundant use of the word cybersecurity.

“Cyber in a state budget piece is almost the equivalent of counterterrorism in the federal budget,” New Hampshire CISO Ken Weeks said at NASCIO’s annual conference in New Orleans during an on-stage discussion to coincide with the survey’s release Tuesday. “Everybody will slap that label on there because they think it'll get approved.”

Still, the threat of ransomware attacks and other breaches is real, particularly as they continue to grow and become more sophisticated. Nearly three-quarters (73%) of CISOs said the biggest cyber threat to their states would come from security breaches involving a third-party vendor, with 71% saying they are concerned about AI-enabled attacks.

Eighteen CISOs listed aligning cybersecurity initiatives with agency business as their top priority. Cybersecurity has to be intertwined with everything state governments do, said Virginia CISO Michael Watson at NASCIO’s annual conference.

“Security has to be up front in all of that discussion,” he said, “to make sure that we’re building it up front, not trying to retrofit later on.”

Many are turning to generative AI to help with their cyber defenses. Forty-one percent of state CISOs said it is already in use for security, while another 43% said they plan on introducing it in the next year. The technology could be enormously useful in helping to analyze threat patterns and suspicious behavior, as well as vulnerabilities in code and quick incident response.

Watson said the attention on artificial intelligence has been positive, forcing CISOs to take an active role in creating the policies around its use.

“I think [it’s] been one of those scenarios where media and public information has lined up really well to talk about all the scary parts about AI before we started pushing the button to roll it out everywhere, because the value proposition is genuine,” he said. “Our real concern is what types of things can happen if we don't put boundaries and structure around how it is that we use it.”

Having the right workers to handle growing threats and new technologies, however, has been a constant bugbear for CISOs. While states have added more full-time cybersecurity professionals to their staff, 53% of those surveyed said talent gaps remain as those employees lack the skills and knowledge needed. That means an increasing reliance on contractors, and on reskilling existing employees.

Subramanian said since state governments will likely never be able to compete with the private sector on salary and benefits, they should get creative. That includes partnering with higher education institutions on initiatives like security operations centers, as has been the case in Texas, Louisiana and elsewhere.

“You are now training the students, they're also doing some productive work, and the students that are trained are going to get some productive employment opportunities in cyber, so there is a win, win, win,” he said.

Those workforce issues extend to the tenure of the CISO themselves, which the survey found has dropped to an average length of 23 months, down from 30 months in the last iteration of the survey two years ago. On average it can take six months to hire a replacement, and that combined with the multiplying responsibilities could prompt states to rethink how they structure this part of their hierarchy.

“There may need to be some models put together, where it's not only the CISOs and the chief privacy officers, but also the technology function,” Subramanian said. “Can aspects of operational security be part of the [chief technology officer’s] office and CIO’s office? Those things need to be tried because it is difficult for CISOs to take on all those responsibilities.”