State chief information security officers (CISOs) have become an integral part of government operations, but they struggle to obtain the resources they need to combat ever-evolving cyber threats, according to a new study.

Eighty-percent of the respondents in the recently-released "2016 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study" say inadequate funding is one of the top barriers to effectively address cybersecurity threats, while more than half (51%) cite inadequate availability of cybersecurity professionals.

Most states’ cybersecurity budgets are relatively low, hovering between zero- and two percent of their overall information technology budget, according to the survey, which was released on today at the NASCIO annual conference in Orlando, Florida.

State CISOs say the top five barriers to effectively address cybersecurity challenges are: lack of sufficient funding (80%), inadequate availability of cybersecurity professionals (51%), lack of documented processes (45%), increasing sophistication of threats (45%), and lack of visibility and influence within the enterprise (33%). Interestingly, in 2014 when Deloitte and NASCIO last surveyed state CIOs/CISO, 61% of the respondents cited the "growing sophistication of threats" as a barrier to addressing cybersecurity challenges.

Governors and other state officials are more aware of cyber threats and receive more frequent updates from CIOs and CISOs, but still there exists a confidence gap between IT and business managers. This gap reflects the need for infosec professionals to have the ability to better communicate the risks of cyber threats.  

"We continue to see there is a confidence gap between the CIOs and CISOs and the business leaders," says Srini Subramanian, principal with Deloitte & Touche LLP and state government cyber risk services leader. "The business leaders actually think the states are in a better state than what the CIOs and CISOs are thinking in terms of their ability to take on external cyber threats. The business leaders don't understand all of the risks," he says. So state CIOs/CISOs have to do a better job of communicating the risks, he adds.

Several years ago, cybersecurity was seen as a technical function of IT, but now cabinet secretaries and state officials realize their agencies are critical components of the cybersecurity mission, says Darryl Ackley, NASCIO president and cabinet secretary and CIO for the New Mexico Department of Information Technology.

"I live day-to-day with the cyber mission, securing the state's networks," he says. Many of New Mexico's cabinet secretaries started to realize their role in helping to protect agencies from cyber-attacks after attending a National Governors' Conference in San Jose, Calif., a few years ago that highlighted cybersecurity.

To be effective, cybersecurity has to be operationalized, Ackley says. "It is a policy issue. It also is a behavior issue as much as a technical issue," he says. "We are trying to maintain the momentum by continuing to involve our public safety, emergency management, and security officials as well as technical components in agencies [to let them know] they can't just depend on us. They have to be participants."

According to the Deloitte survey, a formal cybersecurity strategy and better communication lead to a greater command of resources. "When CISOs develop and document strategies—and get those strategies approved—they can command greater budgets and attract or build staff with the necessary competencies," the report says. In fact, 16 out of 33 states with an approved strategy reported they had an increase in budget.

An approved and proactively communicated strategy can also help CISOs overcome another barrier: "lack of visibility and influence in the enterprise," according to the report.

"The states are starting to focus on more consistent priorities in terms of what CISOs are doing and CISOs are starting to look at areas they can control," Subramanian says.

CISOs are focusing on areas where they can take proactive steps to better manage risks. Some of the top areas CISOs say are within their purview include audit logs and security event monitoring, strategy and planning, and vulnerability management, according to the survey.

An emerging trend is the implementation of identity and access management solutions. For example, more states in 2016 (47%) than in 2014 (33%) have an enterprise IAM solution that covers some or all of the agencies under the governor's jurisdiction.

However, CISOs continue to struggle with the implementation of enterprise IAM solutions, including the complexity of integrating with legacy systems (67%), competing or higher priority initiatives (57%), the states' decentralized IT environment (47%), cost of implementation (39%), and inadequate funding to support enterprise deployment (31%), the report says.

Similar to 2014, CISOs are focusing on implementation of multifactor authentication, federated IAM, and privileged identity management solutions. Cloud-based IAM solutions and citizen identity proofing solutions follow closely as leading initiatives.

In the past two years, state CIOs/CISOs have moved their states forward in combatting cyber risks, according to the report. The report recommends:

• Strategy: Document and formalize the cybersecurity strategy, going through the process of socializing the strategy with a broad range of stakeholders.

• Funding: Work with stakeholders to make cybersecurity a significant line item on state IT and business initiative budgets.

• Communications: Use metrics and numbers to tell a compelling story about cyber risk.

• Talent: Promote the right benefits, modernize the workplace culture, and better define required skills to attract the right talent. 

Related Content: