Overtaxed State CISOs Struggle With Budgeting, Staffing

Chief information security officers (CISOs) of US states are being stretched thin by widening responsibilities and insufficient resources to achieve them.

Today, and for some time now, every state and the District of Columbia has had its own, dedicated CISO office.

"In the early 2000s, the advent of the Internet and the desire to develop citizen-facing applications accessible from the Internet really started that trend," explains Srini Subramanian, co-author of the newly released biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO). State governments, he notes, are as attractive as cyber targets as any company.

"States collect, share, and use data of residents from birth, including school, driving records, health records, and more," he explains. "So they do have very comprehensive information about people in very large volumes, which makes them attractive targets."

Like CISOs of corporations, these individuals are responsible for building and managing statewide IT security programs and policies, managing cyber-risks and incident response efforts, ensuring compliance with relevant regulations and standards, and more. Also like CISOs of corporations, state CISOs face the same hindrances to their jobs.

Related:Dark Reading Confidential: The CISO and the SEC

Among all 51 US state CISOs surveyed in the Deloitte/NASCIO report, many report an expansion of their responsibilities with regard to protecting data privacy, risk management, and more. At the same time, plenty report having insufficient funds and personnel for actually handling those responsibilities.

"State systems don't have as many resources as the private sector," Subramanian says. For example, "When we make a comparison to a financial services institution — they have thousands of full-time [cybersecurity employees]. In this report, 80% of states report anywhere from five to 50 people. States are being asked to do a lot more with very few resources, and it is a real challenge in terms of how they can accomplish their goals."

More Work for State CISOs

Meanwhile, state CISOs are doing more today than ever before. More CISO's offices now provide support to stage agencies in the realms of strategy, governance, and risk management (up 17%), security management and operations (up 8% over 2022), incident response (up 17%), and network and infrastructure (up 7%).

Most starkly: 86% of CISO's offices now handle data privacy, up from 60% just two years ago, thanks, perhaps, to new data privacy rules spreading across the nation.

Related:FERC Outlines Supply Chain Security Rules for Power Plants

The lone counterpoint is that state CISOs today have markedly less to worry about when it comes to physical security, providing a kind of counterbalance.

In 2020 (52%) and 2022 (54%), a majority of CISO's offices handled physical security for data centers and other pertinent facilities, but in 2024 that number plummeted to 35%. Today, just six state cybersecurity budgets allocate anything toward physical security. That, Deloitte posited, may indicate that states have been consolidating their data centers, or outsourcing to third-party providers.

Budgets, Staffing Lag Behind

Compared to their increased workloads, however, state CISOs offices are not being financed and staffed with equivalent fervor.

Most respondents didn't even know what percentage of their states' IT budgets were allocated to cybersecurity, specifically. Among those who did, four reported that it made up somewhere between 0% and 1% of their states' funding for IT. On the flip side, just one in five reported rates of 3% and above.

For a sense of just how low those figures are, consider that out of the $75 billion in IT spend that the White House proposes for civilian agencies in the 2025 fiscal year, $13 billion — about 17% — is set aside for cybersecurity-related activities.

Related:Shadow AI, Data Exposure Plague Workplace Chatbot Use

"The rigor and emphasis on cyber has always been greater in the federal government," Subramanian notes. As a result, "State CISOs have to go and seek resources from the CIOs as part of their technology budget. Whereas in the federal government, all federal agencies have had to, for the last several years, submit a cyber budget request, and really outline how they are going to spend that money on cyber."

Budget constraints and a talent shortage help explain why nearly four in five state CISOs cite staffing as a challenge. Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to deal with the demands of the job.

Why the Same CISO Issues Keep Cropping Up

Whether it be a private company or a government organization, large or small, the issues that face CISOs today are pretty consistent across the board, because the underlying gap between security leaders and their colleagues always tends to take a similar shape.

"Until the security program is not perceived as a 'cost' but rather a 100 times unplanned-for-cost-avoiding department, CISOs will struggle with budget and relevance," says Pete Nicoletti, global field CISO at Check Point Software. "CISOs and security practitioners typically have a hard time justifying their programs to leadership. We are too technical and are worried that the sky is falling 24/7. We can usually get the minimum budget approved based on compliance mandates, but we all know that is not enough."

To close that gap, he suggests, security leaders need to get more people whose jobs don't involve security involved in the security process: "Involve your directors and leaders in every tabletop exercise, share every report on external threats, and teach them all the terms they need to know, so they can see it your way!”

Some states, actually, are already employing this tactic to interesting effect. Subramanian recalls how, "in Texas, there is a regional security operations center that has been set up with a combination of a university, private sector, and the government. The first level of triaging is done by students who are working part time, as they are doing cybersecurity studies. So this can address both the talent issues facing CISOs, as well as getting things done for states and local governments."