8 Trends Driving Cybersecurity in the Public Sector
CISOs and security leaders in state and local governments are dealing with increasing threats like ransomware — with varying degrees of cyber maturity.
October 20, 2022
![Photo of the tops of pillars on a government building, against a blue sky Photo of the tops of pillars on a government building, against a blue sky](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt068cc50dccfb0442/64f15613a5678006f90c42aa/government-AdobeStock-_jkiddmedia.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: jkiddmedia via Adobe Stock
As state and local governments operate under increasing threats of ransomware attacks, geopolitical threats, and breach attempts of citizens' personally identifiable information, cybersecurity awareness is on the rise in the non-federal public sector.
According to the 2022 Deloitte-NASCIO Cybersecurity Study, state-level cybersecurity is growing more mature as lawmakers and bureaucrats have started seriously responding to the risks at hand. Today, no state lacks a CISO, state-level budgets are on the rise, and many foundational cybersecurity controls are in place.
However, states still struggle with the cybersecurity talent gap, and they're dogged by legacy infrastructure that's not keeping pace with new technology and threats. What's more, municipalities are still very spotty in their cybersecurity strategy and execution, as there's very little cohesive guidance at the state level about municipal efforts to shore up protection and response.
The following are some key statistics and trends from this report, which is based on a survey of CISOs from 53 US states and territories.
State lawmakers are sitting up and taking notice of the threat to government resources posed by cyber risks. They're turning that awareness into action by codifying and funding CISO roles and requiring state-level cybersecurity programs.
The study found that the number of states requiring a CISO or equivalent by state statute or law is on the rise, with 44% of states requiring and funding a CISO position and 10% more working on that process.
Programmatic requirements still haven't quite reached a tipping point in most areas, however. For the most part, the majority of states do not have cyber threat information-sharing programs, cyber workforce development and training, or a cybersecurity legislative council to do periodic reviews of the state's cybersecurity posture.
Respondents from 30 states reported they increased their cybersecurity budgets over the past year, with only 2% of states reducing their budget. The study shows that just a few states are allocating more than 10% of their IT budget to cybersecurity.
Interestingly, many of those surveyed were unsure of what percentage of their IT budget cybersecurity comprised. This could potentially be a product of the increasing decoupling of cybersecurity from the IT budget line item.
Results showed that most states these days have a dedicated budget line item for cybersecurity these days, some established by statute, others by governor's orders, and still others through CIOs or other state administrators.
The top challenges faced by state CISOs are shifting as budget situations improve.
When the survey was last conducted in 2020, budget concerns comprised two of the top five challenges. Now the list has added the sophistication of threats and the challenges around decentralized IT and security infrastructure as new pain points. Staffing concerns remain on the list, as does the challenge of legacy infrastructure and solutions to support emerging threats, which has now shifted to the top slot.
The study showed that all states now have a CISO, even though not all US territories do, and that some states are now deepening their cyber-risk leadership bench with CPOs, CROs, and identity program directors.
These leaders are also being called to account with more regular reporting to their governors, state legislators, and agency secretaries.
While state agencies are increasingly bolstering their capabilities around security awareness, incident response, risk assessment and vulnerability assessments, threat monitoring and SOC, and identity and access management, local governments are lagging. For example, whereas 67% of state agencies are in the most mature stages of security awareness training, only 8% of local governments can say the same.
Collaboration between state and local entities for cybersecurity still remains a rarity. The study found that not many CISOs engage with local governments or state public education institutions to lead the charge on cybersecurity strategies.
Only about 35% of state CISOs say they have strong collaboration ties with local government entities. Approximately 65% of respondents say this is due to local resistance to state oversight.
While cybersecurity budgets have increased, state staffing levels have not significantly changed in the past two years. As mentioned earlier, access to talent is a challenge for state CISOs, and that is reflected in how long it is taking to fill open roles in the cybersecurity department. Almost three-fourths (71%) of respondents report it takes three months or longer to fill mid-level positions, and 46% say it takes six months or longer to fill director-level spots.
Often state CISOs are filling their talent gaps with outsourced resources.
A quarter of state-level enterprise security offices employ the equivalent of 16 or more full-time equivalents through cybersecurity contractors. And the percentage of CISOs who reported they're contracting with a managed security services provider to fill staff competency gaps has shot up from 51% in 2020 to 78% in 2022.
Often state CISOs are filling their talent gaps with outsourced resources.
A quarter of state-level enterprise security offices employ the equivalent of 16 or more full-time equivalents through cybersecurity contractors. And the percentage of CISOs who reported they're contracting with a managed security services provider to fill staff competency gaps has shot up from 51% in 2020 to 78% in 2022.
As state and local governments operate under increasing threats of ransomware attacks, geopolitical threats, and breach attempts of citizens' personally identifiable information, cybersecurity awareness is on the rise in the non-federal public sector.
According to the 2022 Deloitte-NASCIO Cybersecurity Study, state-level cybersecurity is growing more mature as lawmakers and bureaucrats have started seriously responding to the risks at hand. Today, no state lacks a CISO, state-level budgets are on the rise, and many foundational cybersecurity controls are in place.
However, states still struggle with the cybersecurity talent gap, and they're dogged by legacy infrastructure that's not keeping pace with new technology and threats. What's more, municipalities are still very spotty in their cybersecurity strategy and execution, as there's very little cohesive guidance at the state level about municipal efforts to shore up protection and response.
The following are some key statistics and trends from this report, which is based on a survey of CISOs from 53 US states and territories.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024