Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Dark Reading
Dark Reading
Products and Releases

Deloitte/NASCIO Survey: Government Data And Citizens' Personal Information At Risk

Cybersecurity study finds that many CISOs lack means to adequately protect vital government data and the personal information of their constituents

Washington, D.C., Sept. 28, 2010 — According to findings of a recent survey conducted by Deloitte and the National Association of State Chief Information Officers (NASCIO), “State Governments at risk: A Call to Secure Citizen Data and Inspire Public Trust,” state governments, as custodians of the most comprehensive collection of citizens’ Personally Identifiable Information (PII), must make cybersecurity a top priority now.

The Deloitte-NASCIO cybersecurity study finds that many state Chief Information Security Officers (CISOs) lack the funding, programs and resources to adequately protect vital government data and the personal information of their constituents, especially when compared to their counterparts in private sector enterprises.

“Many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level,” said Srini Subramanian, director, Deloitte & Touche LLP and leader of state government security and privacy services. “At the federal level, the President has recognized the critical nature of the problem and appointed a cybersecurity coordinator to address it; it’s imperative that governors and state legislative leaders make cybersecurity a priority.”

“Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure, and the report highlights the growing concerns of CISOs in this regard,” said Steve Fletcher, president of NASCIO and CIO of the State of Utah

The Deloitte-NASCIO study is based on a survey in which 49 of the 50 states responded. The key findings include:

* Governance: To be successful, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support, and business involvement.

* Strategy: States increasingly are embracing strategic planning as part of their cybersecurity approaches and are converging on the National Institute of Standards and Technology (NIST) risk assessment framework for strategic alignment. However, without compliance audit and enforcement mandate, such as the Federal Information Security Management Act (FISMA) at the Federal level, compliance to the NIST framework across the enterprise is not likely to be achieved.

* Budget: Security budgets and resources available to state CISOs lag behind those of their private-sector counterparts. In tough economic times the gap is widening further exacerbating the issue.

* Internal and External Threats: Threats to PII and Personal Health Information (PHI) are growing. In addition to preventing accidental and intentional internal data breaches, states need to prepare to tackle the increasing sophistication of security threats from outside.

* Security of Third Party Providers: States use the services of contractors, managed service providers, and other third parties to deliver sensitive and critical constituent services; states must better manage the security of the third party providers.

Based on the findings, Deloitte and NASCIO provide a set of recommendations that state CISOs might use to help bridge some of these gaps, including partnerships within state government, executable strategies, ideas for standardization and tips for better preparing staff and others.

“State CISOs and CIOs recognize the threats and realize all government leaders need to be better informed on the risks,” said Doug Robinson, executive director of NASCIO. “It’s clear CISOs have tough jobs without adequate resources. A staggering 88 percent of respondents mention lack of sufficient funding as a major barrier to effectively addressing information security.”

In a letter introducing the report from the Honorable Tom Ridge, the nation’s first Secretary of the Department of Homeland Security, Ridge notes, “The 2010 Deloitte-NASCIO Cybersecurity Study confirms that large amounts of Personally Identifiable Information (PII) that the states maintain may be at risk, but barriers identified in the study make securing PII a daunting task.”

For a copy of the full report, “State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust,” please visit www.deloitte.com/us/stategovatrisk.com

For more information about Deloitte’s U.S. State Government practice, please visit http://www.deloitte.com/view/en_US/us/Industries/us-state-government/index.htm.


The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. The primary state government members are senior officials who have executive level and statewide responsibility for information technology leadership. State officials who are involved in agency level information technology management may participate as state members. Representatives from other public sector and non-profit organizations may also participate as associate members. Private sector firms may join as corporate members and participate in the Corporate Leadership Council. For more information about NASCIO visit www.nascio.org.

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.