Continued need for cross-boundary collaboration and increased modernization and digital government services brought to light by COVID-19
LEXINGTON, Ky., Oct. 14, 2020 — Today Deloitte and The National Association of State Chief Information Officers (NASCIO) released their 2020 Cybersecurity Study, “States at Risk: The Cybersecurity Imperative in Uncertain Times.” The national study is based on responses from 51 U.S. state and territory enterprise-level chief information security officers (CISOs). This is the 10th year of this study and the sixth iteration, with a record number of state and territory CISO’s participating this year. The key themes in this year’s study are:
- COVID-19 has challenged continuity and amplified gaps in budget, talent and threats, and the need for partnerships.
- Collaboration with local governments and public higher education is critical to managing increasingly complex cyber risk within state borders.
- CISOs need a centralized structure to position cyber in a way that improves agility, effectiveness and efficiencies.
The report also details focus areas for states during the COVID-19 pandemic. While the pandemic has highlighted the resilience of public sector cyber leaders, it has also called attention to long-standing challenges facing state IT and cybersecurity organizations such as securing adequate budgets and talent, and coordinating consistent security implementation across agencies.
These challenges were exacerbated by the abrupt shift to remote work spurred by the pandemic. According to the study:
- Before the pandemic, 52% of respondents said less than 5% of staff worked remotely.
- During the pandemic, 35 states have had more than half of employees working remotely; nine states have had more than 90% remote workers.
“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”
“The pandemic forced state governments to act quickly, not just in terms of public health and safety, but also with regard to cybersecurity,” said Srini Subramanian, principal, Deloitte & Touche LLP, and state and local government advisory leader. “However, continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber threats.”
State governments’ longstanding need for digital modernization has only been amplified by the pandemic, along with the essential role that cybersecurity needs to play in the discussion. Key takeaways from the 2020 study include:
- Fewer than 40% of states reported having a dedicated budget line item for cybersecurity.
- Half of states still allocate less than 3% of their total information technology budget on cybersecurity.
- CISOs identified financial fraud as three times greater of a threat as they did in 2018.
- Overall, respondents said they believe the probability of a security breach is higher in the next 12 months, compared to responses to the same question in the 2018 study.
- Only 27% of states provide cybersecurity training to local governments and public education entities.
- Only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program during the past year, with 65% reporting limited collaboration.
The 2020 study also revisits the three “bold plays” of the “2018 Deloitte–NASCIO Cybersecurity Study,” covering funding, innovation and collaboration, to assess progress on these strategic issues. While CISOs have made progress in the intervening years, more is needed.
The study is based on responses from U.S. state and territory enterprise-level CISOs. CISO participants answered 61 questions designed to characterize the enterprise-level strategy, governance and operation of security programs.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people work across the industry sectors that drive and shape today’s marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Now celebrating 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte’s more than 312,000 people worldwide make an impact that matters at www.deloitte.com.