Connect with us

Hi, what are you looking for?


Management & Strategy

State CISOs Have Little Confidence In Ability To Defend Against External Threats

Deloitte Survey Shows Few State CISOs Are Confident In Their States’ Ability to Defend Against Cyber Attacks

Less than a quarter of state chief information security officers were confident in their states’ ability to safeguard data from attacks, according to a recent Deloitte & Touche survey. Only 32 percent of the CISOs felt state employees have the “required cyber-security competency.”

Deloitte Survey Shows Few State CISOs Are Confident In Their States’ Ability to Defend Against Cyber Attacks

Less than a quarter of state chief information security officers were confident in their states’ ability to safeguard data from attacks, according to a recent Deloitte & Touche survey. Only 32 percent of the CISOs felt state employees have the “required cyber-security competency.”

Increasingly sophisticated cyber-attacks present a new set of challenges to state officials tasked with safeguarding citizen’s personally identifiable information, according to the 2012 Deloitte-National Association of State Chief Information Officers report released Tuesday. States collect an enormous amount of citizen data through various programs and services, making it critical that the data is protected.

Government agencies have lost more than 94 million records of citizens since 2009, wrote Srini Subramanian, a principal at Deloitte & Touche, and Doug Robinson, executive director of NASCIO, wrote in the executive summary, citing a recent report from Rapid7.

“Every CIO and CISO wakes up each day knowing that if they don’t get security right and breaches are suffered, their programs can be perceived to be ineffective, and their citizens may suffer direct harm,” Brenda L Decker, president of NASCIO and CIO of the state of Nebraska, wrote in the introduction to the report.

Top 5 Barriers in Addressing CybersecurityWhile some threats to state information technology security has diminished since 2010, 52 percent of CISOs in the survey said elaborate and sophisticated threats was a barrier to addressing security. The state CISOs recognize the importance of cyber-security, but struggle to gain adequate budgets and stakeholder buy-in to carry out their plans, the survey found. This challenge was also present in the 2010 report.

Budget is a problem for states in safeguarding their data as about 86 percent of CISOs reported that insufficient funding was the most significant barrier to addressing cyber-security issues. The second most significant barrier was the “inadequate availability” of IT professionals well-versed in cyber-security, according to the survey.

The survey results called for a greater collaboration between state CISOs, business leaders in state agencies, and elected officials. CISOs can develop a network of stakeholders across state government offices and agencies and include them in discussions about strategies, risks, progress, and results. CISOs can partner with business stakeholders and “advocate jointly” for increases in cyber-security budgets through “well-articulated strategies, measures, and outcomes,” said Subramanian.

Advertisement. Scroll to continue reading.

States can also create competency centers to share qualified personnel, technology and dollars, the report found. CISOs should also “aggressively explore alternative funding sources,” the report recommended.

Even though there was a significant rate of turnover since the initial survey in 2010, the results were remarkably similar.

The second biennial Deloitte-NASCIO survey assessed the security of all state digital data and cyber-assets administered by CISOs. CISOs and CIOs from 48 states and two US territories participated in the survey. A parallel survey examined responses from 63 state business stakeholders and elected officials and found that 92 percent of respondents ranked cyber security as “most important” or “very important.”

The top four threats facing state governments in the next year include phishing, pharming, and other related variants, social-engineering, the growing number of sophisticated threats, and mobile devices, Deloitte and NASCIO said. While State CISOs recognize the importance of cyber-security, the report highlighted a few steps states should adopt to mitigate some of the risks.

States should adopt a uniform security framework, perform regular compliance assessments, and communicate risks to relevant stakeholders. CISOs should also routinely report cyber-security threats and status of projects to build support security and privacy initiatives. There should be more user education, the report suggested.

“Balance the cost of education and the disruption to individuals against the benefit of keeping the state out of the headlines—and it’s clear the investment is a sound one,” report said.

With more and more functions being outsourced to third-party firms, more needs to be done to manage risk, and cybersecurity policies must be communicated and enforced with partners and contractors, as well.

State CISOs are not the only ones concerned about their ability to defend against cyber attacks. Earlier today, Canada’s auditor general warned that the country “has been slow” to set up firewalls to protect against cyber threats to critical infrastructure, leaving the nation vulnerable to crippling attacks.

In a report, Auditor General Michael Ferguson said the Canadian government has made only “limited progress” over the past decade to safeguard electrical grids, telecommunications infrastructure, banking systems, manufacturing and transportation, as well as its own computers. 

The full 40-page report can be downloaded here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...