2022 Deloitte-NASCIO
Cybersecurity Study
State cybersecurity in a heightened risk environment
A joint biennial report (7th edition) from Deloitte and the National Association
of State Chief Information Officers (NASCIO)About the authors
Srini Subramanian | ssubramanian@deloitte
Srini Subramanian is a principal in Deloitte & Touche LLP’s Cyber practice and is the Global Industry
leader for Risk Advisory in the government and public services industry. He has 35 years of IT
experience and 25 years of cyber risk services experience in the areas of information security strategy,
innovation, governance, identity, access management, and shared services. Subramanian actively
participates in National Governors Association Cyber Policy Council, NASCIO, and various state
committees to help elevate cyber risk in government. He has coauthored the biennial Deloitte-NASCIO
Cybersecurity Study since its first publication in 2010.
Meredith Ward | mward@nascio
Meredith Ward is director of policy and research at NASCIO and has served at the association since
2013. She has more than 20 years of experience in state, local, federal, and international professional
associations. Prior to her current position, Ward worked in government and media affairs in
Washington, D.C., and acquired over a decade of experience building relationships with members of
Congress, their staff, and members of the media. She has worked extensively on issues related to
cybersecurity, IT acquisition, criminal justice, workforce, and state technology.Contents
Foreword 2
Key takeaway 1: Dealing with the talent gap 3
Key takeaway 2: Embracing the entire state 9
Key takeaway 3: Setting a new course 15
Survey analysis deep dives 19
Appendix 28
Endnotes 292022 Deloitte-NASCIO Cybersecurity Study
Foreword
Paving the path for cybersecurity
in the postpandemic age
HE SEVENTH BIENNIAL Deloitte-NASCIO identified three key takeaways critical to enhancing
Cybersecurity Study arrives at a unique the CISO’s role in the future.
Tjuncture for state chief information security
officers (CISOs) and chief information officers Dealing with the talent gap. Attracting,
(CIOs). Emerging from nearly three years of the retaining, and continually training a cybersecurity
COVID-19 pandemic, the landscape in which state workforce primed for the future has become more
CISOs operate has changed. While it may take years difficult. It is encouraging to see an increasing trend
to know which transformations wrought by the to effectively embrace the delivery of cyber services,
pandemic will endure, we know that digitization but states must reposition state employment to
has accelerated. The social distancing required by compete effectively with private sector and federal
the health crisis made digital and mobile platforms employers for millennial and Generation Z workers
the crux of work and daily life. This means that the whose workplace ideals differ from those of previous
future role of the state CISO is more important than generations. For example, the ability to work
ever, as new vulnerabilities and opportunities arise remotely, in part or in full, is now a basic expectation.
from greater use of these networks.
Embracing the entire state. In the ongoing
The 2022 survey was the result of robust effort to fortify resilience across their states, CISOs
participation by 50 states and three territories. At must extend their leadership to all levels of
this pivotal moment, we find that the state CISOgovernment, including the local level. Due to the
position has continued to gain strength andmany interactions that take place between local
authority. As noted in the last biennial study, during and state agencies, local government presents a
the early days of the pandemic, CISOs performed threat vector. CISOs should increase their
the herculean task of migrating state governmentcooperation with higher education institutions to
operations, services, and employees to a virtualact as a bridge between state and local government
environment nearly overnight. They enhancedand to also create a pipeline of cybersecurity
safeguards such as multifactor identification, risk professionals to address the talent gap.
monitoring, and incident readiness to secure a
remote workforce. As a result of these measures and Setting a new course. The postpandemic world
the dedication of state employees, state agenciesbrings new challenges and opportunities. CISOs
continued operating and providing services in theneed to have the foresight both in terms of budgets
face of immense challenges. and new technologies to keep pace with the expec-
tations of the increasingly digitized environment.
Now, CISOs have a chance to build on that
momentum to chart strategies for the post-We thank the 53 states and territories that
pandemic era. To meet the needs of an even more participated in our detailed survey. We salute your
hyperconnected age, they must tackle some dedication to safeguarding citizen data and to
longstanding challenges, while laying the securing the business of your state.
groundwork for the adoption of newer technologies
on the horizon. From this year’s survey results, we –Srini Subramanian and Meredith Ward
2State cybersecurity in a heightened risk environment
Key takeaway 1
Dealing with the talent gap
Fighting cyberthreats States face heavy competition in hiring from the
requires ready forces private sector and federal government. The private
sector is combating the talent shortage by
In 2022, the demand for high-skilled workers hasincreasing pay, flexibility, and rapid career
grown even more acute for both public and privateadvancement to appeal to younger workers.
sector employers. Reassessing their life choicesHaving lived through the experience of the
during the COVID-19 pandemic, many employees pandemic, many no longer put work at the center
joined the Great Resignation, and millennial andof their lives. Though younger workers value the
Gen Z workers are more carefully choosing sense of purpose that government jobs offer, they
workplaces that reflect their preferences. In this are also demanding greater work/life balance,
environment, the lack of cybersecurity remote work and flexibility, and opportunities to
professionals and staff remains among the top five maintain wellness.1
barriers that CISOs cite (figure 1). Despite CISOs’
growing responsibilities and the increasingMany millennial and Gen Z workers are also
sophistication of technology and threats, head looking to be part of a diverse workforce with an
counts for state cybersecurity professionals remain inclusive culture. Indeed, research shows that
about the same as in 2020 (figure 2). In addition, diverse teams, with their varying perspectives, are
over 60% of CISOs report gaps in competencies more effective and productive.
among their staff (figure 31).
FIGURE 1
Inadequate availability of cybersecurity professionals is among the top five
barriers that CISOs cite
Identify the top five barriers that you believe your state faces to address cybersecurity challenges.
20202022
01 Legacy infrastructure and solutions to support
01 Lack of sufficient cybersecurity budget (46%)
emerging threats (52%)
02 Inadequate availability of cybersecurity
02 Inadequate cybersecurity staffing (42%)
professionals (50%)
03 Legacy infrastructure and solutions to support
03 Inadequate cybersecurity staffing (46%)
emerging threats (34%)
04 Inadequate availability of cybersecurity 04 Decentralized IT and security infrastructure
professionals (28%) and operations (38%)
04 Lack of dedicated cybersecurity budget (28%) 05 Increasing sophistication of threats (29%)
Sources: 2022 Deloitte-NASCIO Cyber