Deloitte and the National Association of State Chief Information Officers (NASCIO) today released their 2022 Cybersecurity Study, "State Cybersecurity in a Heightened Risk Environment." The survey captures responses from chief information security officers (CISOs) in all 50 states and three territories about current cybersecurity trends, challenges and opportunities.

The survey found that state CISOs throughout the U.S. gained considerable strength and authority over the past few years, as they rapidly migrated government operations and services to a virtual environment and expedited digital transformations to meet the immediate needs of individuals and families. Due to the dedicated efforts of these CISOs, state agencies were able to continue providing high-quality service to their constituents, despite the challenges imposed by a global pandemic.

The 2022 Deloitte-NASCIO Cybersecurity Study captures trends, challenges and opportunities for CISOs in all 50 states.

Additional highlights from the 2022 Deloitte/NASCIO survey include:

Addressing the talent gap: In 2022, the demand for high-skilled workers has grown even more acute for public and private sector employers. In this environment, the lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
Despite CISOs' growing responsibilities and the increasing sophistication of both technology and threats, headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 6 in 10 CISOs report gaps in competencies among their staffs.
Embracing the entire state: It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions. CISOs made significant progress in enhancing their stature and visibility at the state executive and legislative levels, and they are continuing to get the institutional support and resources they need.
All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
Emerging technologies present new opportunities: In the post-pandemic digital landscape, CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
State CISOs confirm that many applications have migrated to the cloud. With remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate and transact.
States have taken a big step forward to provide digital identities for citizen services. Capabilities, such as cloud computing, artificial intelligence and robotic process automation, enable states to further enhance digital modernization in service of their missions and constituents.
"The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders," said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte's global risk advisory leader for government and public services. "To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent."