Though it briefly tied digital government for the top priority last year, cybersecurity and risk management has been the No. 1 priority for state CIOs for the last 12 years. And there it is, yet again, right at the top for 2025. Surprised? Not really.
So why has cybersecurity been on the top of the list for the last 12 years and will that change? Of course, this is because cybersecurity is complex and expansive, and with every new technology the threat landscape continues to grow. In state agencies and every large organization, cybersecurity is a journey of transforming processes and tools on a playing field that is constantly changing. Cloud transformation completely altered the cybersecurity stack that was previously deployed, modern application development increased the threat landscape with microservices and APIs and the list goes on. Now add in artificial intelligence (AI). The CIO and CISO cyber challenge is immense. Adopting new security frameworks, integrating old with new technologies, changing processes and dealing with humans all while remaining compliant and improving governance makes for a long journey.
So will cybersecurity and risk management ever move off the top spot of a CIO's priority list? For that to happen, innovation must either completely stop or it must present a game-changing defense capability to CIOs. Until that happens, we believe a zero-trust strategy should be enacted in states similar to the federal government approach. The timing is right as that framework has gathered a strong backing from the cyber community, and thanks to the work of the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency, there are comprehensive tools which provide definitions and methods of approach, along with a maturity model for agencies to follow and compare their progress with the standards in the model.
Admittedly, you could say that zero trust is just another security framework, but it’s more than that. Zero trust is a data-centric cyber modernization that goes beyond the traditional, network-centric models where firewalls and sensors were expected to stop threats. Zero trust acknowledges breaches will occur and that continuous authentication and monitoring along with automated risk mitigation are all needed to protect environments and systems in a modern world where data is king. Interestingly, perhaps this year, artificial intelligence will help cybersecurity meet more of its objectives and eventually dethrone it from the top of the CIO list.
ARTIFICIAL INTELLIGENCE IS LOUD AND PROUD
2024 was the year AI went mainstream and there has been more written on AI than any other technology topic this year. Therefore, AI moving up to the No. 2 spot didn’t really surprise us. Yet we know that there is still a common misunderstanding of what AI actually is and how it will be used, supported and secured. We see AI as a foundational technology that will impact many markets, products and processes. And if you were to look at the other nine priorities in the National Association of State Chief Information Officers (NASCIO) Top 10, you will find AI embedded in many of them, including cybersecurity, digital services, workforce, legacy modernization, cloud services and even accessibility.
We appreciate the complexity of AI and how NASCIO cited specific AI use cases like public service delivery and digital assistants, and separately called out policies to guide its responsible use. Generative AI, as compared to traditional AI, is still early in it’s maturation and must be approached holistically. Generative AI introduces concerns around ethical uses, intellectual property ownership and privacy. so putting protective guardrails and usage policies around AI are going to be top of mind for every state CIO and CISO in 2025.
We already alluded to one clear use of AI, which is the integration of AI into cybersecurity. This was highlighted in NASCIO’s State CIO Survey which came out in September. Traditional AI/machine learning has been embedded into cybersecurity products for years, leveraged in anomaly detection systems and behavioral analytic tools. We believe the synergy between cybersecurity and AI will continue to grow and the use of natural language processing and large language models will make cyber tools stronger and easier to use. Use of modern AI tools will also help level the playing field to combat adversaries who are armed with more powerful, AI-enabled tools. A recent survey showed that 74 percent of companies already see AI-powered cyber threats impacting their organizations. We are seeing the use of AI to make phishing attacks more realistic, increase the velocity of malware creation and distribution, and countless other tactics more effective. CIOs and CISOs will need to address AI-powered threats with AI-powered defense mechanisms.
SURPRISE, ACCESSIBILITY MAKES THE LIST
Earlier this year, the Justice Department updated its’ Title II Americans with Disabilities Act rule with specific requirements for state and local governments to make web and mobile apps accessible to people with disabilities. We believe that is why, for the first time, accessibility is in the top 10 of CIO priorities, and we appreciate the renewed focus.
The government serves everyone, including people with disabilities, and so accessibility must be an integral part of every digital government initiative.
A great way to do this is to leverage the U.S. Digital Service checklist of critical requirements — where accessibility is right there on top.
STATE CIOS ARE GETTING IT RIGHT
We applaud the accomplishments that our state agencies' IT teams make each year, along with the state CIOs who drive the right priorities with a consistently challenging budget. We also acknowledge that the NASCIO Top 10 is just a consolidated list of the 50 state CIOs' priorities for 2025. It doesn’t necessarily capture the real complexities or the incredible work going on behind the scenes to address these priorities. We applaud the IT teams who work to integrate diverse solutions and educate themselves and others on new technologies and processes while driving the change management required for success. We are in an exciting innovative time in IT, which often means short-term stress, but the impact the effort is bigger than ever for both government and constituents!
OUR FINAL THOUGHTS
- Make zero trust happen. Zero trust is a modern cybersecurity architecture that will prepare the government for this hyperconnected, data-led, AI-assisted world. Make zero trust more than just a new security framework. Adopting and maturing your zero-trust architecture and the aligned processes will help secure agency’s and citizen’s data, which will ensure trust in the government.
- AI is a transformative discipline and will impact so many other disciplines and processes. CIOs should continue to educate themselves and their teams on AI. They should seek to increase security with AI, and at the same time, ensure they secure their agencies' and constituents' data from the risks of AI. Finally, they should plan on workforce preparations for this transformation. AI is so transformative. Both IT professionals and non-IT employees should be trained and aware of the basics of AI, to help optimize its use and protect against its abuse.
- The government serves everyone. Accessibility being in the top 10 is an important message for residents who deal with disabilities. Don't look at this as just a compliance checkbox: look at this as a mission to support all your constituents and make accessibility an integrated part of the digital services priority.
