IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

NASCIO: Third-Party Breaches, AI Top CISOs’ Threat Lists

New privacy responsibilities, looming threats from GenAI and breached partners, and stubborn workforce and funding problems: here’s what CISOs are thinking about in 2024.

NASCIO's Meredith Ward, Virginia's Mike Watson, New Hampshire's Ken Weeks and Deloitte's Srini Subramanian discuss the new report at NASCIO 2024.
NASCIO's Meredith Ward, Virginia's Mike Watson, New Hampshire's Ken Weeks and Deloitte's Srini Subramanian discuss the new report at NASCIO 2024.
Photo Credit: Jule Pattison-Gordon
NEW ORLEANS — State CISOs’ responsibilities are growing, and they’re bracing for rising challenges like third-party security breaches and AI-assisted cyber threats. At the same time, CISOs are struggling with familiar challenges around insufficient budgets and staffing. And the CISO post itself can be hard to keep filled: on average state CISOs now remain in office about 1.9 years, down from 2.5 years in 2022. All that’s according to the newest, biannual Deloitte-NASCIO Cybersecurity Study, released today.

Hiring for a CISO-level position can often take six months or more, and given CISOs’ short average tenures, “for a four-year cycle, you are almost saying that for a good portion of the time there may not be a CISO in the state,” Srini Subramanian, Deloitte global consulting services leader for government and public services, said Monday during the 2024 NASCIO Annual Conference.

States are also changing what they expect from their cybersecurity leaders, per the report. Many CISOs now have privacy responsibilities, whether that’s by overseeing chief privacy officers or handling both roles themselves. Eighty-six percent of states have CISOs handling privacy, a significant leap from the 60 percent who did the same in 2022.

As CISOs eye the challenges ahead, many are concerned about hackers using AI-assisted attacks — a threat 71 percent said is “very” or “somewhat” high.
Bar graph showing cybersecurity threats, according to CISOs, in 2024 and 2022.
CISOs' top cybersecurity threat concerns this year are "security breaches involving a third party," "AI-enabled attacks as a threat vector" and "foreign state-sponsored espionage." In 2022, ransomware and other malware, and phishing, topped the list.
Photo credit: Deloitte-NASCIO Cybersecurity Study

At the same time, CISOs see opportunities to use generative AI to support their own security work, with 41 percent currently using the tech and 43 percent intending to within 12 months. And security can be a natural use case for generative AI, because cyber teams already have lots of data they record, centralize and “groom” to be ready for use, so it’s just one more step to run it through an AI engine to search it for abnormalities, Virginia CISO Mike Watson said during a conference panel.

Promisingly, most CISOs are involved in helping develop their state’s generative AI strategy and policy. But, ideally, more CISOs would be part of the procurement process too, so they can ensure security is accounted for and funded from the get-go, NASCIO Deputy Executive Director Meredith Ward said during the panel.

Workforce remains one of the top challenges for almost half of states’ cyber teams. Limited hiring budgets and lengthy hiring timelines, especially for mid- and high-level positions, can be among the challenges to recruiting. States have moved the needle slightly: now only 55 percent of states take three months or more to hire a mid-level cyber employee, compared to 71 percent in 2022.

CISOs are one of the roles that can remain vacant for a half-year or more, and so those holding the title now should turn an eye to succession planning — a difficult task, however. For one, CISOs may come to require a different skill set than that held by the rest of their departments or teams, New Hampshire CISO Ken Weeks said during the panel. And, anyone training up with the CISO job specifically in mind would have no guarantee of a position opening.

“Succession planning is hard because most states’ civil service programs are not conducive to that,” Weeks said. “ … you can’t necessarily replace me until I’m gone.”
Chart comparing how long the hiring process took in 2024 compared to 2022 and 2020. In 2024, director or similar level roles took more than six months on average according to 37 percent of the respondents, compared to 46 percent in 2022.
Hiring timelines often take months, per the report.
Photo Credit: Deloitte-NASCIO Cybersecurity Study
Subramanian suggested states could make sure to have deputy CISOs, putting them in a firmer position if CISOs do leave. But Weeks reminded that in some cases, CISOs and their deputy CISOs are similar ages, and might leave their positions at similar times.

Weeks advocated for having “a fungible workforce” that welcomes people moving easily between the public and private sectors and back; and Ward praised Massachusetts’ internship program for new graduates that has seen many interns go on to work for the state.

Training and upskilling existing staff is important, too, with the report finding only 47 percent of CISOs saying their workforce has all the needed competencies.

It’s especially hard for states’ cyber teams to get around-the-clock staffing, which could be why many CISOs supplement with third-party support. That includes the 76 percent of CISOs who use outsourced security operations centers with 24/7 monitoring. Outsourcing may not always be an easy decision, however, with about a quarter of CISOs “not very confident” in their business partners, contractors and service providers’ cybersecurity practices.

And CISOs were wary of how third parties like local government and higher education fared on cybersecurity, too, the report said. In the coming fiscal year, cyber threats involving third parties will increase “somewhat,” according to 39 percent of CISOs, and will be a “very high” threat, according to 33 percent.

To better tackle such concerns, CISOs can seek more information on contractors’ cybersecurity practices, including their training and oversight measures, and can reach out to local governments and public higher education about best practices.

With temporary pandemic relief funds drying up, budgets are again a concern for CISOs. Only 51 percent said they have “adequate” funding needed to meet legal and regulatory requirements, down from 58 percent saying the same two years ago. Nearly 40 percent of states lack a dedicated cybersecurity budget line item, instead funding it from the overall IT budget. Uncertainty over how much money will be available can make planning hard.

While the State and Local Cybersecurity Grant Program was a promising idea, some CISOs said the money simply wasn’t enough to make a difference or to outweigh the administrative burden of handling the grant. Some also said the rules attached limited how useful the funds could be.

And while one-time and limited-time funding infusions can help, above all, CISOs need a reliable stream of recurring funding to tackle the continuous threats they face.

“Grants are a pain in the neck. It’s a lot of admin and overhead,” Weeks said. “The federal government needs to create something similar to highway funds for cyber: it’s just as important to infrastructure, and, until there’s a sustained, systemic way to do this, all of us are going to be winging it year to year based on begging.”
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.