State cybersecurity organizations in ‘heightened risk environment,’ according to report

As state and local cybersecurity organizations across the United States emerge from a few difficult years, one aspect of the future is for certain: It will be shaped by the same digital advancements that, since the pandemic’s outset, have propelled the nation into an unprecedented era of technological innovation in the public sector.

“While it may take years to know which transformations wrought by the pandemic will endure, we know that digitization has accelerated. The social distancing required by the health crisis made digital and mobile platforms the crux of work and daily life,” reads the introduction to the seventh biennial report from Deloitte and the National Association of State Chief Information Officers (NASCIO), the “2022 Deloitte-NASCIO Cybersecurity Study.”

While the report was written for state chief information security officers (CISOs), it outlines key challenges faced by public cybersecurity organizations at all levels: attracting and retaining enough talent; embracing all areas of cyber defense, from state agencies to local governments; and setting new budgetary directions, with different and updated expectations.

“State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year’s survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies,” said Meredith Ward, director of policy and research at NASCIO and a co-author of the study.

In both the private and public sectors, “The demand for high-skilled workers has grown even more acute. … Reassessing their life choices during the COVID-19 pandemic, many employees joined the Great Resignation, and millennial and Gen Z workers are more carefully choosing workplaces that reflect their preferences,” the report says.

In a survey conducted by the officers organization and noted in the report, 52 percent of respondents cited legacy infrastructure and outdated solutions as the primary barrier preventing them from addressing cybersecurity challenges. Inadequate availability of cybersecurity professionals was listed second (50 percent), followed by not enough staffing (46 percent) and decentralized IT and security infrastructure. Increasing sophistication of threats was also noted (29 percent).

At least part of the reason for talent gap is that “States are not meeting many of the demands of this new generation of tech workers,” the report says. “Only 25 percent of states reported using remote work as a talent attraction tool. This is somewhat surprisingly low, as CISOs have worked hard to ensure the security of work-from-home arrangements (more than 80 percent expressed high confidence in their work-from-home arrangements), with more than half expressing confidence in these efforts. Moreover, the labor market is increasingly offering workers the option to work from home.”

Besides work from home, among factors respondents listed for moving into the public sector, 54 percent cited an opportunity to serve the community, while 46 percent said it was for job security and 35 percent switched for a better pension/retirement plan.

Meanwhile, administrators are relying on staff augmentation to fill manpower voids. States are also considering outsourcing functions and contracting with third parties to alleviate workload.

At the state level, “The technology talent shortfall has reached a critical juncture. Although CISOs do not control state hiring practices, they need to make a case for a transformation of public talent management or face increasingly untenable talent shortages,” the report says. “To attract the best talent, states can take steps such as offering remote work options, providing an opportunity to work with up-to-date tech tools, shortening the hiring cycle, modernizing job titles and classifications using the National Initiative for Cybersecurity Education framework, and other measures.”

Compounding the administrative shortage cybersecurity organizations face, the threat landscape is rapidly evolving.

“The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders,” said Srini Subramanian, principal at Deloitte & Touche LLP, and Deloitte’s global risk advisory leader for government and public services. “To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent.”

Among other key takeaways in the report, according to a statement from Deloitte, 30 states increased their cybersecurity budgets from 2021 to 2022. And for the first time, CISOs report that a handful of states are allocating more than 10 percent of their IT budgets to cybersecurity, in alignment with federal government levels. However, most states still only allocate between 2 percent and 10 percent of their budgets to cybersecurity efforts. Additionally, many state CISOs identified the drafting and implementation of the zero trust framework as a key initiative.