The 8th biennial Deloitte-NASCIO Cybersecurity Study reveals a rapidly evolving cybersecurity landscape, with artificial intelligence (AI) and generative AI (GenAI) introducing new challenges. Conducted in spring 2024, the study captures insights from Chief Information Security Officers of all 50 U.S. states and the District of Columbia, marking a period where the impact of COVID-19 has subsided yet new threats have surfaced.
Key findings highlight that while traditional security issues remain, AI-driven attacks are now a significant concern. CISOs report a growing focus on managing AI-generated vulnerabilities and addressing insider threats amplified by the misuse of advanced AI tools.
Artificial intelligence is a double-edged sword for state cybersecurity teams. On the one hand, AI helps automate security processes and enhances threat detection. On the other hand, malicious actors are leveraging AI for more sophisticated attacks, such as deepfakes and AI-enhanced phishing. This is complicating threat landscapes as states work to keep pace with AI-driven cyberattacks while also embracing AI to improve defense strategies.
Some key insights from the survey:
- Ransomware and phishing remain top threats, but AI-generated attacks are rapidly gaining ground.
- Cybersecurity budgets are struggling to match the scale of emerging threats, especially in AI.
- Workforce challenges persist, with states finding it difficult to hire and retain professionals who understand AI technologies and their security implications.
- CISOs are working on improving collaboration with federal partners to share intelligence and best practices for AI threat management.
According to the study:
"The stresses of the pandemic have also translated into turnover at the top. It's no secret that security professionals work under enormous strain, with a number of recent studies and surveys citing frequent burnout. Since our 2022 survey, nearly half of the states—23 of them to be exact—have new CISOs. The median tenure of a state CISO is 23 months, down dramatically from 30 months two years ago. However capable and talented these new leaders may be, turnover can be disruptive. The good news is that state governments increasingly recognize the critical role that CISOs play, formalizing their authority. It's promising, though there's plenty of progress yet to be made."
The study underscores a critical need for nationwide policies addressing AI in cybersecurity. With GenAI capabilities growing, there is a demand for clear guidelines on ethical AI use, security protocols, and methods to mitigate risks. CISOs are advocating for more robust federal-state partnerships to enhance AI defenses and ensure resilience across the board.
Based on these findings, state CISOs can consider the following courses of action.
- Continue to make the case for robust cybersecurity. The responsibilities of state CISOs have expanded, while the authority and funding have not always kept pace. Cybersecurity issues will probably continue to escalate—especially with gen AI applications rapidly multiplying—and the CISO role is likely to continue expanding. CISOs need resources to support these expanding responsibilities. Public leaders throughout state government—from governors to legislators, from CIOs to agency leaders—need to understand and support the funding of cybersecurity.
- Promote the CISO's role in digital transformation. As states increase their use of online transactions with constituents, the state CISO should have a seat at the table in helping to inform policy choices that affect data vulnerabilities. Areas such as digital identity and access management—for state workers, contractors, citizens, and businesses—should include a CISO perspective to confirm that system security is considered. The CISO's mandate positions the state to serve as a catalyst for digital transformation, improving service to citizens as well as to agencies.
- Proactively participate in policy development. As emerging technologies grow in prominence, CISOs should consider a whole-of-state approach that includes proactively providing guidance to state and local government leaders on policy, technology, and operations relating to cybersecurity.
- Enhance succession planning efforts. States are seeing significant turnover among cybersecurity leadership, and filling these vacancies can take six months or more. A greater focus on succession planning may help improve continuity in leadership, particularly in terms of ongoing relationships with higher education, local government, and federal officials.
More from the study related to AI:
Despite registering this high level of concern regarding AI/GenAI, only one-quarter of state CISOs list implementing gen AI security controls among their top five cybersecurity initiatives for 2024 to 2025. As one CISO indicated: "We will need to put in more governance and security controls in place before completely leveraging gen AI." Another summarized the state's position: "We are in the process of developing acceptable usage policies and general guidance on how to properly use AI within state government technology. Recently, the requests for AI use at the agency level have increased exponentially and have been reviewed on a case-by-case basis, but we need to establish official guidance on its use."
"There is a high demand for gen AI services and solutions; enterprise policy has been defined but is broad," one CISO said, suggesting plans to leverage third-party resources: "It is anticipated that we will look for private solutions that will allow for the containerization for more sensitive uses of gen AI, but at this time, we are mainly mapping potential use cases to evolve a potential statewide approach and governance model."
Based on the findings in this survey, state CISOs can consider the following approaches.
- Strike a more aggressive posture. Today's asymmetric cyberthreats demand more forceful responses. Incremental progress is important—CISOs should continuously be seeking to root out unsecure connections and shut software backdoors—but proactive efforts are increasingly necessary. State CISOs may want to explore the possibility of relationships with the private sector that can offer early warnings of viruses or hacking trends.
- Strengthen controls for third parties. As contractors, vendors, and other third parties play a key role in operations, controls such as limiting the use of contractor-owned computing devices—which can allow a contaminated device to plug into a state network—will continue to be important. Consider including third-party risk assessment services in contracts.
- Collaborate to modernize threat response. Too often, state CISOs are fighting emerging threats with outdated legacy tools and systems. CISOs should look to collaborate with public and private sector tech leaders to help modernize the approach to threats.
- Continue to advance adoption of IAM platforms, both internally and externally, especially in those states that are not currently fully operational in this area. Public-facing enterprise IAM is a particularly powerful tool for streamlining interactions, making them visible and enhancing government services.
- Build awareness and trust with regular reports for stakeholders. State CISOs should consider distributing a regular "State of Cyber" report to legislators, state leaders, and business executives, aiming to elevate ongoing and new challenges with an eye toward potential opportunities for collaboration.
More from the study: In this year's survey, we asked CISOs how their offices are addressing workforce diversity. CISOs offered a wide range of responses.
Some respondents expressed pride in their teams' diverse composition.
- "The CISO office is the most diverse organization in the state. We have a perfect blend of amazing technology professionals learning, growing, and driving results together."
- "Working with our HR office, we have developed a highly diverse cybersecurity team."
- "Our team typically ranks as one of the most diverse teams in the enterprise here."
Some surveyed CISOs specifically highlighted their pursuit of diversity through recruiting policies.
- "We make all attempts to support diversity through recruiting and hiring."
- "We work to make the job postings as open and accessible as possible, while also promoting diversity efforts from the senior leadership team down."
- "Our commitment to diversity is integral to our broader mission of establishing an inclusive, innovative, and high-performing cybersecurity team."
