1、2022 Deloitte-NASCIO Cybersecurity StudyState cybersecurity in a heightened risk environmentA joint biennial report(7th edition)from Deloitte and the National Association of State Chief Infor������mation Officers(NASCIO)Srini Subramanian|Srini Subramanian is a principal in Deloitte&Touche LLPs Cyber pract
2、ice and is the Global Industry leader for Risk Advisory in the government and public services industry.He has 35 years of I�����T experience and 25 years of cyber risk services experience in the areas of information security strategy,innovation,governance,identity,access management,and shared services.Su
3、bramanian actively participates in National Governors Association Cyber Policy Council,NASCIO,and va��������rious state co���mmittees to help elevate cyber risk in government.He has coauthored the biennial Deloitte-NASCIO Cybersecurity Study since its first publication in 2010.Meredith Ward|mwardnascio.orgMere
4、dith Ward is director of policy and������� research at NASCIO and has served at the association since 2013.She has more than 20 years of experience in state,local,federal,and international professional associations.Prior to her current position,Ward worked in government and media affairs in Washington,D.C.
5、,and acquired over a decade of experience building relationships with members of Congress,their staff,and members of the media.She has worked extensively���� on issues related to cybersecurity,IT acquisition,criminal justice,workforce,and state technology.About the authorsContentsForeword 2Key takeaway
6、1:Dealing with the talent gap 3Key takeaway 2:Embracing the entire state 9Key takeaway 3:Setting a new course 15Survey analysis de��������ep dives 19Appendix 28Endnotes 292ForewordPaving the path for cybersecurity in the postpandemic ageTHE SEVENTH BIENNIAL Deloitte-NASCIO Cybersecurity Study ar�����rives at a u
7、nique juncture for state chief information security officers(CISOs)and chief information officers(CIOs).Emerging from nearly three years of the COVID-19 pandemic,the landscape in which���� state C����ISOs operate has changed.While it may take years to know which transformations wrought by the pandemic will
8、endure,we know that digitizatio������n has accelerated.The social distancing required by the health crisis made digital and mobile platforms the crux of work and daily life.This means that the future role of the state CISO is more important than ever,as new vulnerabilities and opportunities arise from gre
9、ater use of these networks.The 2022 sur��������vey was the result of robust participation by 50 states and three territories.At this pivotal moment,we find that the state CISO position has continued to gain strength and authority.As noted in the last biennial study,during the early days of the pandemic,CISO
10、s performed the herculean task of migrating state government operations,services,an������d employees to a virtual environment nearly overnight.They enhanced safeguards such as multifactor identification,risk monitoring,and incident readiness to secure a remote workforce.As a result of these measures and t
11、he dedication of state employees,state agencies continued operating and providing services in the face of immense challenges.Now,CISOs have a chance to build on that momentum to chart������� strategies for the post-pandemic era.To meet the needs of an even more hyperconnected age,they must tackle some long
12、standing challenges,while laying the groundwork for the adoption of newer technologies on the horizon.From this years survey results,we identified three key takeaways critical to enhancing the CISOs role in the future.Dealing with the����� talent gap.Attracting,retaining,and continually training a cybers
13、ecurity workforce primed for the future has become mor�������e���� difficult.It is encouraging to see an increasing trend to effectively embrace the delivery of cyber services,but states must reposition state employment to compete effectively with private sector and federal employers for millennial and Generat
14、ion Z workers whose workplace ideals differ from those of previous generations.For e�����xample,the ability to work remotely,in part or in full,is now a basic expectation.Embracing the entire state.In the ongoing effort to fortify resilience across their states,CISOs must extend their leadership to all l
15、evels of government,including the local level.Due to the many interactions that take place between local and state agencies,local government presents a threat vector.CISOs should increase their cooperation with higher education institutions to act as a bridge between state and local gover������nment and t
16、o also create a pipeline of cybersecurity professionals to ad�������dress the talent gap.Setting a new course.The postpandemic world brings new challenges and opportunities.CISOs need to have the foresight both in terms of budgets and new techno������logies to keep pace with the expec-tations of the increasingly
17、 digitized environment.We thank the 53 states and territories that participated in our detailed survey.We salute your dedication �������to safeguarding citizen data and to securing the �������business of your state.Srini Subramanian and Meredith Ward2022 Deloitte-NASCIO Cybersecurity Study3Key takeaway 1Dealing w
18、ith the talent gapFighting cyberthreats requires ready forcesIn 2022,the demand fo�����r high-skilled workers has grown even more acute for both public and private sector employers.Reassessing their life choices during the COVID-19 pandemic,many emp�����loyees joined the Great Resignation,and millennial and G
19、en Z workers are more carefully choosing workplaces that reflect their preferences.In this environment,the lack of cybersecurity professionals and staff remains among the top five barriers that CISOs cite(figure 1).Despite CISOs growing respon�������sibilities and the increasing sophistication ������of technolog
20、y and threats,head counts for state cybersecurity professionals remain about the same as in 2020(figure 2�������).In addition,over 60%of CISOs report gaps in competencies among their staff(figure 31).States face heavy c������ompetition in hiring from the private sector and federal government.The private sector i
21、s c�������ombating the talent shortage by increasing pay,flexibility,and rapid career advancement to appeal to younger workers.Having lived through the experience of the pandemic,many no longer put work at the center of their lives.Though younger workers value the sense of purpose������ that government jobs offe
22、r,they are also demanding greater work/life balance,remote work and flexibility,and opportunities to mainta�������in wellness.1 Many millennial and Gen ������Z workers are also looking to be part of a diverse workforce with an inclusive culture.Indeed,research shows that diverse teams,with their varying perspect
23、ives,are more effective and productive.Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte I������nsights| Legacy infrastructure and solutions to support emerging threats(52%)02 Inadequate availability of cyberse����curity professionals(50%)03 Inadequate cybe
24、rsecurity staffing(46%)04 Decentralized IT and security infrastructure and operations(38%)2020202205 Increasing sophistication of threats(29%)01 �����Lack of sufficient cybersecurity budget(46%)03 Legacy infrastructure and solutions to support emerging threats(34%)02 Inadequate cybersecurity staffing(42%
25、)04 Inadeq������uate availability of cybersecurity professionals(28%)04 Lack of dedicated cybersecurity budget(28%)FIGURE 1Inadequate availability of cybersecurity professionals is among the top five barriers that CISOs citeIdentify the top five barriers that you believe your state faces to address cybers
26、ecurity challenges.01020304050State cybersecu�����rity in a heightened risk environment4States are not meeting many of the demands of this new generation of tech workers.The top factors with which CISOs attra������ct and retain talent remain largely the same as in years past.They include the opportunity to ser
27、ve the public,job stability,and a retirement plan(figure 3).Only 25%of states reported using remote w������ork as a talent at����traction tool(figure 4).This is somewhat surprisingly low,as CISOs have worked hard to ensure the security of work-from-home arrangements,with more than half expressing confidence i
28、n these efforts(figure 5).Moreover,the labor market is increasingly offering workers the option to work from home.In addition,state CISOs are working to incorporate dive�����rsity,equity,and inclusion(DEI)practices,such as designating a DEI leadership pos�������ition or teams to foster a culture of inclusion.In
29、 some cases,there was incomplete awareness of the DEI practices in place(figure 6).The long process th�������at state CISOs must complete to hire staff at every level is giving competitors a better shot at hiring the best talent.About half of respondents say it takes three to six months to hire mid-level p
30、ersonnel and more than six months to hire director-������level personnel(figure 7).To close the gap,CISOs c������ontinue to rely on staff augmentation(figure 8).States are demonstrating more interest in outsourcing specific function areas and contracting with managed service providers(figure 9).For example,more
31、 than half of respondents report outsourcing security operations center functions,which require 24x7 monitoring(figure 10).Sources:2022 Deloitte-NASCIO Cybers������ecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| full-time equivalents1625 full-time equiv��������alents615 full-time equ
32、ivalents2650 full-time equivalents51 full-time equivalentsNot applicable/dont knowOther(such ������as part-time professionals)Enterprise security officeState agencies(excluding the enterprise security office)14%10%2%16%22%16%18%FIGURE 2Head counts for state cyberse�������curity professionals havent changed much
33、since 2020How many dedicated cybersecurity professionals does your state employ?(Do not include contractors in this count.)2020 2022 12%27%25%17%17%2%16%30%18%16%20%2022 Deloitte-NASCIO Cybersecurity Study5Sou������rces:2022 Deloitte-NASCIO Cybersecurity Study;2020 Deloitte-NASCIO Cybersecurity Study;2018
34、 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 3The top factors to attract and r�������etain talent include the opportuni������ty to serve the public,job stability,and a retirement planWhat are the top three factors to attract and retain cybersecurity talent to work for your state?2018 2020 2022Opportun
35、ity to serve andcontribute to your state���Job stabilityPension/retirement plan53%41%37%28%35%52%46%56%54%Source:2022 Deloitte-NASCIO Cybersecurity Study.FIGURE 4Only 25%of states reported offering remote work as a way to att�����ract cybersecurity talentIdentify the top three talent management practices fo
36、llowed by your state to attract and retain sta����te cybersecurity workforce.Highlight greater stability,with less nonvoluntary turnover than in the private sectorPromote nonsalary benefitsCross-train and develop state IT workforce�������Cybersecurity internship programsActive use of social mediaFlexible work
37、location/remote within the state40%37%33%31%27%25%17%Relationship with state universities and facultySource:2022 Deloitte-NASCIO Cybersecurity Study.FIGURE 5Most CISOs have high confidence in the security of their work-fr����om-home arrangements How confident are you that your states information assets
38、are protected from the following types of cyberthreats?Extremely confident Very confident Somewhat confident Not very confident N/A or dont knowThreats originating from remote work solution and process4%31%54%10%2%State cybersecurity in a heightened risk environment6Source:2022 De�������loitte-NASCIO Cyber
39、security Study.FIGURE 6Many CISOs reported incomplete awareness of the DEI practices in their organizations The following are practices to improve DEI within an organization.Please select the degree to which you agree with����� each statement as it applies to your organization.(1=Strongly disagree,5=Stro
40、ngly agree)My organization has est����ablished DEI leadership positions5Dontknow4321My organization uses external talent platforms and agencies to increase access to diverse full-time employeesMy organization has established DEI teams,groups,etc.,to support fostering a culture of inclusion5Dontknow43215
41、�����Dontknow43218%6%19%23%21%23%15%12%17%6%10%40%6%�����12%19%19%23%21%Source:2022 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 7The time taken to hire talent is delaying the process and putting states at a disadvantageWhat is the average time to initiate and complete the hiring process for a cyber
42、security position in the enterprise security office?Entry-level Mid-level Director-level6 months2%0%4%25%48%17%50%12%31%31������%21%46%2022 Deloitte-NASCIO Cybersecurity Study7Source:2022 Deloitte-NASCIO Cybersecurity Study.35%19%17%2%6%21%0%21%17%6%6%50%15 f����ull-time equivalents1625 full-time equivalents6
43、15 full-time equivalents2650 full-time equivalents51 full-time equivalentsNot applicable/dont knowEnterprise security officeState agencies(excluding the enterprise security office)��������FIGURE 8CISOs regularly contract for cybersecurity professionals If your state has staff/specialist augmentatio�������n,indicat
44、e the number of cybersecurity professional �����contractors employed.Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.FIGURE 9Many states want to outsource specific function areas and contract with managed service providersIf you selected“Staff has gaps in ����com
45、petencies,”how does your state plan to close the competency gap?2020 2022 Provide training to staff who are developingthe required competenciesUse specialist augmentation Outsource certainfunction���al areasContracting with a managed security servi������ces provider97%94%81%69%63%40%78%51%State cybersecurity
46、 in a heightened risk environment8Sources:2022 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 10CISOs rely on outsourc������ing for security operations center functionsWhat cybersecurity functions does your state outsource(partially/complet������ely)?(Please select all that apply.)Security operations ce
47、nter(inclu�����ding 7x24x365 monitoring)Cyber threat����� risk assessmentsSecurity events/audit-log analysis and reportsIncident responseCyber threat management servicesForensics/legal support52%40%38%31%27%25%Source:2022 Deloitte-NASCIO Cybersecurity Study.FIGURE 11CISOs have more confidence in the cybersecu
48、rity practices of contractors than other third partiesHow confident are you in the cybersecurity practices of your �����third parties?Third partiescontractors,service providers,and business partners Local government entities Public higher education ent�������ities ExtremelyconfidentVeryconfidentSomewhatconfiden
49、tNot veryconfidentNot applicable/dont know0%0%0%4%8%17%38%52%52%15%10%10%62%31%2%Call to actionAs they continue to������� compete with the private sector and federal government for talent,CISOs have an opportunity to reboot efforts to attract and retain up-and-coming cyber professionals by������ providing more o
50、f the workpl������ace attributes �����they seek and to develop a more effective pipeline for fresh talent.Transform state employment practices to attract next-generation workers.The technology talent shortfall has reached a critical juncture.Although CISOs do not control state hiring practices,they need to mak
51、e a case for a transformation of public talent management or face increasingly untenable talent short������ages.To attract the best talent,states can take steps such as offering remote work options,providing an opportunity to work with up-to-date tech tools,shortening the hiring ����cycle,modernizing job titl
52、es and classifications using the National Initiative for Cybersecurity Education(NICE)framework,and other measures.Turn to external resource�������s to fill the gap.As CISOs continue to build a robust in-house staff,they can turn to private-public partnerships to close the gap.Management of third-party ven
53、dors is maturing,as CISOs rely on them more to provide not only securities operations center functions,but also forensic and legal support and cyberthreat risk assessments(figure 10).CISOs have more confidence in the cybersec��������urity practices of contractors than other third parties such as local gover
54、nments and higher education(figure 11).2022 Deloitte-NASCIO Cybersecu��������rity Study9Key takeaway 2Embracing the entire stateTighter collaboration with local governments and state higher education ins��������titutions provides greater security across the stateCISOs have made significant progress not only within
55、the executive branch but also with state legislatures,and they are beginning to get the institutional support they need.Notably,state legislators are codifying into law various roles of the CISO and providing funding for initiatives such as ente����rprise risk management frameworks,cybersecurity legisla
56、tive councils,and cybersecurity training(figure 12).Many states now also require CISOs to provide periodic reports to senior state levels,such �������as the governor,legislature,and secretaries of state(figure 13).Yet,CISOs relationships with other important entitiessuch as local,city,and county government
57、s;public higher education institutions;health care systems;and the private sectorare lagging.To build more resilient cyber safeguards,CISOs need to collaborate and������� share information on cyberthreats with all levels and branches of government and the private sector within state Source:2�����022 Deloitte-NA
58、SCIO Cybersecurity Study.44%42%23%23%25%Legislation/sta��������tute established and funded8%12%13%8%13%Legislation/statute established and not funded2%2%4%4%6%Legislation/statute in progress46%44%60%65%56%Legislation/statute not in placeFIGURE 12State legislators are codifying and funding CISO rolesWhat is
59、the current status of your states cyber legislation/statutes for each of the following cybersecurity provisions?Role and authority of the enterprise CISO or equivalentState-level cybersecurity program and framework for enterpr�����ise risk managementCyberthreat information sharing program between state a
60、gencies,law enforcement,and private entitiesCybersecurity workforce development and trainingCybersecuri�������ty legislative c���ouncil or equivalent to do a periodic review and steer the states cybersecurity posture,and allocate fundingState cybersecurity in a heightened risk environment10Source:2022 Deloitt
61、e-NASCIO Cybersecurity Study.Deloitte Insights| secretary17%17%19%38%8%�������12%6%29%12%42%38%12%6%23%21%StatelegislatureFIGURE 13Many states now also require CISOs to provide periodic reports to executive leadershipOn what schedule are you required to provide reports on cybersecurity status or posture of
62、 the enterprise cybersecurity office to the following authorities and stakeholders?Never Monthly Quarterly Annual������ly Ad hocborders.A whole-of-state approachencompassing this full array of stakeholdersis key to fortifying protections wherever vulnerabilities may occur.A centralized model of state cybe
63、rsecurity governance,where the CISOs office leads the cybersecurity efforts of state agencies and collaborates with local governments and public higher education,helps strengthen state cybersecurity overall.A more centralized state budge�������ting process also enables CISOs to know where and how funds are
64、 allocated and helps reduce duplicative expenditures.Even at the state level,however,it is interesting to note that nearly one-third(29%)of respondents leave cyber incidents to agencies them������selve����s to manage,rather than to a central IT security group.Overall,CISOs relationships with local governments
65、 and public higher education institutions trail�������s that with state-level agencies.Currently,most CISOs actively engage with technology decision-makers and state business decision-makers in formulating state cybersecurity strategies,but few engage local governments and state public education institutio
66、ns(figure 14).Few local government and public higher education institutions have adopted core CISO enterprise cyberse�������curity services,including security awareness,incident response,risk and vulnerability Source:2022 Deloitte-NASCIO Cy������bersecurity Study.Deloitte Insights| government entities other than
67、 education State colleges and universitiesK-������12 schools and school districtsCommunity colleges35%58%6%29%63%6%27%58%12%23%56%17%FIGURE 14Not many CISOs engage with local governments and state public education institutions for cybersecurity strategiesHave you collaborated with any of the following ent
68、ities as part of your states security program during the past year?No collaboration Limited collaboration Strong collaboration2022 Deloitte-NASCIO Cybersecurity Study11assessments,threat monitoring and security operations centers,and identity and access management to the same extent as state agen��������cie
69、s(figure 15).Whi������le the level of adoption by local governments and public higher education may also depend on the availability of services offered by the state to them,the contrast in the level adoption indicates the need for attention.As an example,less than half of CISOs provide cybersecurity train
70、ing to local government and public higher education staff,while the extent of adoption of such training to state agencies and contractors is more mature(figure 16).Source:2022 Deloitte-NAS�������CIO Cybersecurity Study.Deloitte Insights| 15State agencies are increasingly adopting enterprise security servic
71、es;however,local governments and public higher education are in early stages of adoptionWhat is the degree of����� adoption of your enterprise security services among your agencies?(1=Least ad��������opted,5=Most adopted)State agencies Local governments Public higher educationSecurity awarenessIncident responseR
72、isk and vulnerability assessments6%2%6%19%67%2%6%15%23%5������4%8%10%17%19%46%Threat monitoring/security operations centerIdentity and access management4%8%12%21%52%12%2%29%15%35%19%10%21%8%8%1�������5%17%17%12%6%15%10%29%2%4%15%15%10%8%8%19%13%8%4%4%12%12%10%8%8%8%19%12%12%15%2%19%15%8%6%2%15%8%10%4%2%17%12%13%
73、0%23451234512345State cybersecurity in a heightened risk environment12Source:2022 Deloitte-NASCIO Cybersecurity Study.YesYes,but only where mandated by laws/regulationsNoNot applicable/dont knowSt������ate staff and contractorsLocal government and public higher education staff and contractors92
74、%2%4%2%31%10%42%17%FIGURE 16CISOs are training state staff and contractors much more than their local and higher education counterpartsDoes your state provide cybersecurity training(at lea��������st annually)to:CISOs report having more confidence in the cyberse�������curity practices of third-party vendors than th
75、ose of local government and public higher education(figure 11).Indeed,CISOs often have little visibility into these entities.Many report that they dont know how local governments and public higher education �������institutions are managing their third-party contra������ctors,for instance.As new federal grants fo
76、r cybersecurity become ava����������������ilable,CISOs have an opportunity to build closer collaboration with local government entities.The Infrastructure and Investment Jobs Act(IIJA)of 2021 provides the first federal grant program earmarked specifically for cybersecurity.The IIJAs State&Local Cybersecurity Grant
77、Program,administered by the Department of Homeland Security,provides federal funds to strengthen the cyber resilience of state and local grant recip�����ients.State&Local Cybersecurity Grant requires that state recipients allocate 80 percent of grant funds to local government������ entities.Our survey shows 46
78、 states and territories plan to apply for grants from this program.The grants can enable the delivery of shared services to local������� governments.With the funds,states anticipate requiring local governments to implement measures including cybersecurity training,risk assessments,security monitoring,incid
79、ent response,endpoint detection,and vulnerability management(figure 17).In addition,the American Rescue Plan Act of 2021 provides stimulus funding for a variety of activities including cybersecurity.Responde������nts indicated they had leveraged ARPA for a variety of cybersecurity needs,the most common be
80、ing defense technology including endpoint protection,identity and access management,and security operations center(figure 18).The availability of these funds is not enough to guarantee progress at the local government level,however.Indeed,CISOs see challenges ahead in implementing these������ federal gran
81、t programs.More than 60%of responden������ts report that the biggest barrier to successfully meeting the requirements of federal grant programs is resistance by local government to state oversight(figure 19).States should consider using local institutions of �������higher education to serve as regional hubs that
82、 connect local���� governments to the whole-of-state approach to cybersecurity,perhaps through a shared SOC model.2022 Deloitte-NASCIO Cybersecurity Study13Source:2022 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 17States anticipate requiring local governments to implement measures including c
83、ybersecurity training,risk assessments,and security monitoringIn order for local governments to receive funds under the State and Local Cybersecurity Grant Program,what cyber components will your stat���������e require local governments to imp����lement?Cybersecurity trainingRisk assessmentsSecurity monitoringIn
84、cident responseVulnerability managementEndpoint detectionDotGov domain adoption61%51%51%47%45%43%41%35%Identity and access management/multifactor authenticationSource:2022 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 18Top three areas where ARPA was u���sed for cybersecurity������Please select the
85、areas where you have consumed o����r plan to consume funding from the American Rescue Plan Act(ARPA)of 2021.(Please select all that apply.)Defense technology includingendpoint protectionIdentity and access managementSecurity operations center37%35%35%Call to actionCloser �������working relationships between st
86、ate CISOs and local governments and public education entities could go a long way in reducing the states cyber risk exposure.CISOs have an opp���������ortunity to improve state cybersecurity with these measures������.Advocate for a whole-of-state approach.For CISOs to be more effective in taking a whole-of-state a
87、pproach,they first need mechanisms to promote collaboration within the executive branch.They should explore executive or legislative establishment of appropriate tools to foster wh��������ole-of-state coordination authority.States also have an opportunity to bolster their security by ensuring that state law
88、s recognize and fund cybersecurity for local,city,and county governments and higher education institutions.State CISOs can highlight the importance of such legislation before state legislators.Only 10%of r��������espondents report having such legislation,and more than half report no such legislation.In addi
89、tion,many states are exploring creative governance by establishing a joint cybe��������r task force or shared services initiatives to establish a whole-of-state approach.CISOs can use these councils and �������task forces to build closer collaboration with local governments and public higher education entities(fig
�����90、ure 20).State cybersecurity in a heightened risk environment14Source:2022 Deloitte-NASCIO Cybersecurity Study.Local government resistance to state oversightAbility to effectively/rapidly procure cyber services/products for de��������veloping and/or implementing planDeveloping a fully compliant cybersecurity
91、 planObtaining consensus agreement and approval of cybersecurity planFormi�������ng a fully compliant and representative cybersecurity planning committeeOther63%45%43%41%18%10%FIGURE 19Most respondents cite resistance from local government to state oversight as the biggest barrier to meeting the requiremen
92、ts of federal grant programsWhat have been,or do you anticipate will be,the most significant barriers to successfully meeting the requirements of the St�����ate and ������Local Cybersecurity Grant Program and reducing cyber risk to your state and local governments?(Please select all that apply.)Use federal gra
93、nts to promote collaboration with loca����l governments.CISOs can use the opportunity provided by the State&Local Cybersecurity Grant Program to build clo�����ser collaboration with local governments on cyber protections,including cybersecurity training at local government levels.The experience could pave th
94、e way for future collaboration.Source:2022 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 20CISOs indicated limited collaboration was occurring with local governments and public higher education entitiesDoes your state actively engage with the following stakeho���lders in identifying requiremen
95、ts������� for the states cybersecurity strategy?(Please select all that apply.)States technology decision-makersStates business decision-makers90%75%52%29%25%19%6%Formal established cybersecurity council or taskforce by the governor or legislatureLocal governmentsPublic higher educationPrivate sector(like
96、u��������tilities,health care,IT,and cyb������ersecurity organizations)Not applicable/dont know2022 Deloitte-NASCIO Cybersecurity Study15Key takeaway 3Setting a new courseEmerging from the pandemic,CISOs can position themselves for the futureNearly three years since the pandemic began,the world in which CISOs ope
97、rate ������has changed.In the realm of technology,many applications have migrated to th����e cloud.And with remote work,digital and mobile platforms have become part of the fabric of daily life by which people work,communicate,and transact.Remote or hybrid work may become a permanent fixture,posing new manage
98、ment challenges.Citizens,now used to the convenience of remote access,are likely to demand more and improved digital experiences ������from governmentfor everything from renewing licenses to paying taxes to receiving state benefitsall the while expecting security and privacy safeguards of their informatio
99、n.The role of the state CISO only grows in importance in this environment.Bad actors expl�����oited the dispersed work-from-home arrangements during the pandemic,increasingly indulging in activities such as ransomware attacks and financial fraud.Geopolitical developments also added to the complications w
100、ith foreign state-sponsored espionage and threats to election security.All the while,new technologies from cloud computing to artificial intelligence offer both new capabilities and vulnerabilities to consider.To forge ahead��������,CISOs need to secure the basicsa sound budgetary foundationwhile they consi
101、der new �������technological c���apabilities to modernize operations and constituent services.Firm financial footing sets a lasting foundation For the first time since this survey began in 2010,CISOs are reporting that budgetary concerns are no longer a top barrier to cybersecurity initiatives.The lack of a s
102、ufficient cybersec�����urity budget didnt even rank in the top five concerns landing behind legacy infrastructure,talent shortage,and other issues(figure 1).Over the last year,state receipts were greater than expected due to pandemic relief funds and other factors.In fiscal year 2022,state budget spendin
103、g grew at 13.6%,the highest increase in more than 40 years,and in fiscal year 2023,state budget spendi������ng is expected to grow by 4.2%over prior year levels.2 Meanwhile,state and local governments are poised to receive new cybersecurity grants over the next four years under the State&Local Cybersecuri
104、ty Grant Program.It is unclear how long this positive budgetary scenario will last.But at thi�������s unique moment,CISOs have a chan�������ce to make greater progress on their priorities.To assume a leadership role appropriate to oncoming challenges in the postpandemic era,states must establish a sound financial
105、 foundation for the long run for cybersecurity.As digitization increasingly becomes widespread,state cybersecurity funding cannot be left to chance year after year.CISOs need to be able to draw upon a constant,dependable source of funding����� throughout different economic and political cycles.Most state
106、s do have a dedicated budget line item for cybersecurity,whether established by law,executive order,or other mechanisms(figure 21).State cybersecurity in a heightened risk environment16In those states that have not,CISOs������� and CIOs must continue to push for it.Establishing cybersecurity as a governmen
107、tal priority with a budget line item can help state CISOs and CIOs raise funding levels before state legislature and executive branch leaders.Certainly,CISOs concur that regulations backed by a commitment for funding are more effective than thos���e without one(figure 22).States are beginning to make s
108、ome progress on cybersecurity budgets.For the first time,a handful are allocating more than 10%of their budget to cybersecurity,in alignment with federal government levels,3 but most still allocated between 210%(figure 23).CISOs need to continue to establish more����� secure and adequate funding,as only
109、with such funding can they formulate longer-term strategies to incorporate pressing priorities,suc�����h as emerging technologies.Source:2022 Deloitte-NASCIO Cybersecurity Study.Yes,established by statu�����te or lawYes,established by secretary or CIOYes,established by administrative rule,regulation,or proced
110�������、ureYes,established by an executive(governors)orderNo,as part of the overall IT budgetOtherNot applicable/dont know21%10%4%46%2%15%FIGURE 21Most states have a dedicated bu�������dget line item for cybersecurity Does your state have a cybersecurity budget line item?Source:2022 Deloitte-NASCIO Cybersecurity S
111、tudy.FIGURE 22CISO��������s concur that regulations backed by a commitment for funding are more effective than those without one How effective are applicable federal and state cybersecurity regulations at improving your states cybersecurity posture and reducing risk?(1=Least effective,5=Most effective)State
112、 regulations/legislation with commitment for fundingState regulations/legislation without commitment for fundingFederal regulations with �������commitment for funding Federal regulations without commitment for funding1234510%23%29%35%4%1234525%31%13%4%21%1234527%27%29%12%2%1234510%23%33%15%15%2�������022 Deloitte
113、-NASCIO Cybersecurity Study17Source:2022 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| than 10%Not applicable/dont knowAll e��������xecutive branch agenciesEnterprise security officeFIGURE 23A handful of states are allocating more than 10%of their IT budget to cybersecurity What percentage of your
114、states IT budget is allocated to cybers��ecurity?Emerging technologies present new opportunitiesIn the postpandemic digital landscape,CISOs have a critical role to play in actively guiding the evaluation and implementation of useful new technologies.Citizens accustomed to positive digital experiences
115、in other realms have come to expect that from state government.Many states have taken a big step forward in this regard by providing digi�������tal identities for citizen services.Capabilities,such as cloud computing,artificial intelligence,and Robotic Process Automation(RPA),allow states an opportunity to
116、 further enhance digital modernization in service of their missions and constituents.Active participation in the state innovation agenda also provides �������CISOs benefits such as greater visibility with other state leaders.To serve as a partner in innovation,the key is to be a leader to advocate for and
117、en�������able new technologies in a secure fashion.By establishing involvement from the onset in the evaluation of emerging technologies,CISOs can best help ensure that cybersecurity is baked into new applications before procurement and during implem������entation.In the last few years,CIOs have worked with many
118、 innovations,such as RPA,chatbots,and other AI tools to stream�����line and improve citizens digital experience.Meanwhile,they have also had to contend with many issues involving legacy infrastructure,cited as first among CISOs top barriers(figure 1).Overall,cyber strategy ra�������nked as the top priority for
119、CISOs while emerging technologies such as artificial intelligence ranked low(figure 24).State cybersecurity in a heightened risk environment18Source:2022 Del�����oitte-NASCIO Cybersecurity Study.Deloitte Insights| 24Majority of states focused on cyber strategy,multifactor authentication,and risk assessme
120、nts as upcoming initiativesIdentify your states top five cybersecurity initiatives for 202223.Cybersecurity strategyMultifactor authenticat������ionRisk assessmentsMalware detection and mitigationRemote workforce managementRobotic process and automation/artificial intelligence29%27%25%6%4%2%Highest respon
121、sesLowest responsesCall to actionTo meet the challenges of a postpandemic world,CISOs have an opportunity to lay solid groundwork to fund������ states growing cybersecurity needs,while investing in technologies for the future.Lay a sound financial foundation.To ensure ongoing funding support through vario
122、us economic and political������� cy�������cles,CISOs and CIOs should continue to push for cybersecurity as a distinct line budget item in states where this has not occurred.In their regular reports to state leadership,they should continue to underscore the importance of cybersecurity as a priority and the need fo
123、r consistent and adequate fu����nding.State CISOs with a multiyear strategic plan secure funds more successfully than those that dont.Annual update�������s on progress over the last year and overviews of plans for the next year make a big difference in positioning cybersecurity as a business enabler.Build the
124、cornerstones of the futurecloud and emerging technology.With solid funding,CISOs can embrace underpinnings of the fut������ure,including the continued adoption of cloud and other new technologies to enable the smarter government services.A key challenge is to maintain the security of existing capabilities
125、 even as more functions migrate to the cloud.In one example,many states have made good progress providing strong authentication while eliminating passwords,boosting both security and convenience.2022 Deloitte-NASCIO Cybersecurity Study19Survey analysis deep dives Strategy and go�����vernanceSources:2022
126、Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 25Allstates now have a CISO,although not all territories do,and many are establishing positions for CP���Os,CROs,and identity program directors Does your state have the following enterprise-level positio
127、ns?2020 2022 CISOCPO or equivalent(Chief privacy officer)CRO or equivalent(Chief risk officer)Identity program directoror equivalentYesNoN/A0%0%4%2%96%98%YesNoN/A2%4%62%65%37%31%YesNoN/A8%4%65%71%27%25%YesNoN/A10%6%6��������7%76%23%18%Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloi�����tte-NASCIO
128、 Cybersecurity Study.Deloitte Insights| 26More CISO positions are now established b����y state lawWhat mechanism establishes your states CISO or equivalent positions authority over the other organizational entities for which it has responsibility?2020 2022Authority establishe��d by state statute or lawAut
129、hority established by state secretary or CIOAuthority established by state administrative rule,regulation,or procedureAuthority established by a state executive(governors)orderAuthority established by a state interagency agreementNo formal established authority50%54%20%10%10%����18%60%50%23%6%4%29%State
130、 cybersecurity in a heightened risk environment20Sources:����2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 27CISOs are required to provide more regular reports on the states cybersecurity status to state leaders,including the governor,legislatur
131、e,and agency secretaryOn what schedule are you required to provide reports on cybersecurity status or posture of the enterprise cybersecurity office to the following authorities���� and stakeholders?2020 2022GovernorState legislatureMonthlyQuarterlyQuarterlyNeverNeverMonthlyAnnuallyAnnuallyAd h�����ocAd hocS
132、������ecretary/deputy secretaryMonthlyQuarterlyNeverAnnuallyAd hoc8%19%17%17%18%22%10%12%33%38%22%12%12%29%42%10%6%2%20%39%22%22%33%10%21%23%38%12%6%4%2022 Deloitte-NASCIO Cybersecurity Study21Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.FIGURE 28State agen
133、cy adoption of CISO services,such as identity and access management,security awareness,incident response,and risk and vulnera����bility assessments is generally increasingWhat is the degree of adoption of your enterprise security services among state agencies(1=Least adopted,5=Most adopted)?2020 2022Sec
134、urity awarenessIncident responseRisk and vulnerability assessmentsThreat monitoring/security operations centerIdentity and access management123452%�������12%12%16%14%15%29%24%24%35%123454%4%8%6%12%10%52%57%24%21%123450%6%6%19%31%67%57%8%2%4%123452%4%6%4%15%24%23%22%54%47%123456%10%10%17%27%46%35�����%19%22%8%St
135、ate cybersecurity in a heightened risk environment22Sources:2022 D������eloitte-NASCIO Cybersecurity St������udy and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| of greaterthan 10%Increase of6%10%Increase of1%5%Budget has remainedthe same23%16%6%35%12%23%31%31%Only 2%of states reduced their cyber
136、security budg������et by 1%5%in 2022.FIGURE 29Thirty states reported increases to their cybersecurity budget over the past yearPlease select the option which best describes the year-over-year trending in your states cybersecurity budget for years 2020 and 2021.2020 2022Sources:2022 Deloitte-NASCI������O Cyberse
137、curity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 30States reported making progress in esta����blis�����hing a cybersecurity budget line item by law or executive order Does your state have a cybersecurity budget line item?2020 202218%Yes,established by statue or lawYes,established
138、by secretary or CIOYes,established by administrative rule,regulation,or procedureYes,established by an executive(governors)orderNo,as part of the overall IT budget21%15%4%46%10%0%10%1������0%57%16%Budget2022 Deloitte-NASCIO Cybersecurity Study23Cyber workforceSources:2022 Deloi��������tte-NASCIO Cybersecurity Stu
139、dy and 202���0 Deloitte-NASCIO Cybersecurity Study.FIGURE 31Most CISOs report that staff has a gap in competenciesDo your internal cybersecurity professionals have the required competencies(i.e.,knowledge,skills,an�������d behaviors)to handle existing and foreseeable cybersecurity requirements?2020 2022Staff
140、has the requiredcompetenciesStaff has gap in competencies38%28%62%70%Identity and access manag�������ementSources:2022 Deloitte-NASCIO ������Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 32Most states are offering enterprisewide identity and access management(IAM)Does your s
141、tate provide an enterprisewide �����IAM solution?2020 2022 Yes,all agencies under the governors jurisdiction are coveredYes,a partial list of agencies under the governors jurisdiction is coveredNo,but performing or plan to perform a product selectionNo,but plan to implement No,do not plan to implement31%
142、29%23%8%4%35%31%23%2%8%State cybersecurity in a h�������eightened risk environment24Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 33Security,end-user experience,and compliance are the top drivers for en�����terprise IAM programOn a scale of 1 to
143、 5,how important are t���he following reasons to your IAM investment decisions?(1=Least important,5=Most important)2020 2022Operational efficiency/cost savingsImproved end-user experience������single credential for citizen access23451234512345Security12345ComplianceStandardizationIAM framework,app
144、lication development,and user interfaceModernization and digital transformation2%2%2%2%6%6%10%17%8%18%20%23%33%39%39%39%40%29%29%20%2%2%6%25%19%69%73%0%0%0%0%0%6%6%6%1���9%57%27%33%38%2%2%2%0%2%4%4%8%25%25%24%27%33%43%44%15%35%41%38%13%2022 Deloitte-NASCIO Cybersecurity Study25Cyber operationsSources:2
145、022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 34CISOs top cybersecurity initiatives for 20222�������3 show decline in both risk assessments and enterprise identity and access managementIdentify your stat�������es top five cybersecurity initiatives for 2022
146、23.2020 2022Cybersecurity strategyMultifactor authenticationRisk assessmentsEndpoint detection and responseEnterprise identity and access management29%27%25%25%23%N/A-o�������ption������ was not included in 202028%26%34%42%Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity St
147、udy.Deloitte Insights| 35Most states are performing periodic assessments of their cyber incident war gaming,business continuity,and election security exercisesHow often does your state perform the following cybersecurity a�������ssessments?2020 2022Disaster����� recovery exercises and testsAnnuallyAd hocSecurit
148、y events monitoring/security operations centerMonthlyAd hocCyb��������er incident simulation war gaming and business continuity exercisesAnnuallyAd hoc63%54%13%24%52%65%21%22%52%2������7%44%29%26%38%30%31%AnnuallyAd hocElection security assessment/readinessState cybersecurity in a heightened risk environment26Sou
149、rces:2022 Deloitte-N�������ASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 36Many states are outsourcing cybersecurity functions,in��������cluding security operations center and forensic/legal support What cybersecurity functions does your state outsource(partially/complet
150、ely)?(Please select all that apply.)2020 2022Security operations center(including 7x24x365 monitoring)Forensics/legal supportCyberthreat risk ass������essmentsSecurity events/audit-log analysis and reportsIncident responseCyberthreat management servicesNetwork security and perimeter defense 52%42%40%40%38
151、%31%27%60%33%31%25%20%21%29%30%2022 Deloitte-NASCIO Cybersecurity Study27Cybert�����hreatsSources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO ������Cybersecurity Study.Deloitte Insights| 37Malware/ransomware and phishing continue to be top threats,with foreign state-sponsored espionage ri
152、sing significantlyHow much of a threat do each of the following cyberthreats in the coming fiscal year pose to your state?Very high and somewhat higher threat(combined).2020 2022Malware/ransomwarePhishing,pharming,and other related variantsForeign state-sponsored espio���nageIncreasing sophistication a
153、nd proliferation of threatsSocial engineeringSecurity breaches involvin���g third parties Exploits of vulnerabilities from unsecured codeExternal financial fraud involving information systemsExploits����� of vulnerabilities in endpoint devices75%67%85%70%54%52%46%44%38%35%33%58%69%60%54%48%33%43%60%30%Sourc
154、es:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cybersecurity Study.Deloitte Insights| 38CISOs reported a variety of causes behind data breaches and cybersecurity incidentsWhich of the following are the leading causes for data breach/incide��nts in y�����our state over the past 12 mont
155、hs?2020 2022Web applicationsMalicious code(e.g.,viruses/worms/spyware/malware/ransomware)Financial fraud involving information systemsElectronic attac����k(e.g.,hackers)Zero-day attacksForeign state-sponsored espionage33238302012����11State cybersecurity in a heightened risk environment28Appendix
156、Survey methodologyTHE 2022 Deloitte-NASCIO Cybersecurity S��������tudy uses survey responses from:US state enterprise-level CISOs,who answered 66 questions designed to characterize the enterprise-level strategy,governance,and operation of security programs.Participation was high:53 states and territories re
157、sponded.Figures 39 illustrates the CISO participants demographic profile and that of their states.For better readability,we have included relevant and select responses in the charts.Hence,the percentage totals may not equal to 100%.The survey gave r�����espondents the opportunity to add additional commen
158、ts when they wanted to further explain an“N/A”or“other”response.A number of participants provided such comments,offering further insight into the analysis.Sources:2022 Deloitte-NASCIO Cybersecurity Study and 2020 Deloitte-NASCIO Cyberse������curity Study.Deloitte Insights| or equivalentCIO or equivale����nta
159、Others65,000 to15,00015,001 to25,00025,001 to75,00075,000N/A|Dont know12%13%17%18%13�������%24%52%47%4%0%Number of state government employees(excluding higher-education employees)Approximate annual state budget for current budget year(US$)110 billion1125 billion2650 billionMore than 50 billionN/A|Dont know
160、27%14%10%21%20%19%23%8%28%30%2020 vs.20222020 vs.2022FIGURE 39Survey methodologySurvey-respondent job titles2022 Deloitte-NASCIO Cybersecurity Stu�����dy291.Amrita Datar et al.,Government can win the talent raceHeres how,Deloitte Insights,May 23,2022.2.National Association of State Budget Officers,“The f
161、iscal survey of states,”accessed September 6,2022.3.White House,Internet technology and cybersecurity funding,accessed September 6,2022.The authors would like to thank the NASCIO and Deloitte professionals who helped to develop the survey and execute,analyze,an�����d create the report.On the behalf of NA
162、SCIO,they would like to thank executive director Doug Robinson,program director of innovation and emerging issues,Amy Glasscock,CIPM,and all CISOs who participated in the 2022 survey.From Deloitt����e,the authors would like to thank subject-matter specialists Mike Wyatt and Clayton Frick of Deloitte&Tou
163、che LLP;and John OLeary of Deloitte Services LP.In addition,they would also like to thank the Deloitte survey team for data analysis,and benchmarks,including:Bharane Balasubramanian,Bharath Cha������������ri,and Julia Slattery of Deloitte&Touche LLP;and Sushumna Agarwal,Thirumalai Kannan,and Apurba Ghoshal of D
164、eloitte Services LP.Lastly,the authors would also like t������o thank the marketing and writing team including Allison Malewig from Deloitte Services LP and writer Catherine Yan��������g.AcknowledgmentsEndnotesState cybersecurity in a heightened risk environment30About Deloitte CyberDeloitte Cyber helps organizat
165、ions manage ������cyber risk and create value through enhanced security,visibility,and privacy.Our program design,implementation,operation,and response services,coupled with our deep industry and mission knowledge,help our clients protect and defend their most valuable asset����s,facilitate secure digital tra
166、nsformation efforts,and adapt rapidly to emerging threats.About the Deloitte Center for Government InsightsThe Deloitte Center for Government Insights shares inspiring stories of government����� innovation,looking at whats behind the adoption of new technologies and management practices.We produce cuttin
167、g-edge research that guides public officials without burying them in jargon and minutiae,crystallizing essential insights in an easy-to-absorb format.Through research,forums,and immersive workshops,our goal is to provide public officials,policy������� professionals,and members of the media with fresh i������nsig
168、hts that advance an understanding of what is possible in government tr����ansformation.About the National Association of State Chief Information Officers(NASCIO)Founded in 1969,the National Association of State Chief Information Officers(NASCIO)represents state chief information officers(CIOs)and inform
169、ation technology(IT)executives and managers from the states,territories,and District of Columbia.NASCIOs mission is to foster government excellence through quality business practices,information �����management,and tec������hnology policy.NASCIO provides state CIOs and state members with products and services
170、designed to support the challenging role of the state CIO,stimula������te the exchange of information and promote the adoption of IT best practices and innovations.From national conferences to peer networking,research and publications,briefings,and government affairs,NAS�������CIO is the premier network and reso
171、urce for state CIOs.For more information,visit www.nascio.org.2022 Deloitte-NASCIO Cybersecurity Study31Contact usMeredith WardDirector of Policy and Research|NASCIO+1 859 514 9209|mwardnascio.orgSrini SubramanianPrincipal|Global Indust�����ry leader|Risk Advisory|Government and Public ServicesDeloitte&T
172、ouche LLP+1 717 651 6277|Mike WyattPrincipal|Cyber Identity|Risk Advisory|Government and Public ServicesDeloitte&Touche LLP+1 512 226 4171|Julia SlatterySpecialist leader|Cyber&Strategic Risk|Risk Advisory|G�����overnment and Public ServicesDeloitte&Touche LLP+1 804 343 8549|William D.EggersExecutive d������ir
173、ector|������Deloitte Center for Government Insights|Deloitte Services LP+1 571 882 6585|State cybersecurity in a heighte�������ned risk environmentAbout Deloitte InsightsDeloitte Insights publishes original articles,reports and periodicals that provide insights for businesses,the public sector and NGOs.Our goal
174、is to draw upon research and experience from throughout ou�����r professional services organization,and that of coauthors in academia and business,to advance the conversation on a broad spectrum of topics of interest to executives and government leaders.Deloitte Insights is an imprint of Deloitte Develop
175、ment LLC.Abo������ut this publication This publication contains general information ����only,and none of Deloitte Touche Tohmatsu Limited,its member firms,or its and their affiliates are,by means of this publication,rendering accounting,business,financial,investment,legal,tax,or other professional advice or s
176、ervices.This publication is �������not a substitute for such professional advice or services,nor should it be used as a basis for any decision or action that may affect your finances or your business.Before making any decision or taking any action that may affect your����� finances or your business,you should c
177、onsult a qualified professional adviser.None of Deloitte Touche Tohmatsu Limited,its member firms,or its and thei������r respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication.About Del�����oitteDeloitte refers to one or more of Deloitte Touche
178、 Tohmatsu Limited,a UK���� private company limited by guarantee(“DTTL”),its network of member firms,and their related entities.DTTL and each of its member firms are legally separate and independent entities.DTTL(also referred to as“Deloitte Global”)does not provide services to clients.In the United Stat
179、es,Deloitte refers to one or more of the US member firms of DTTL,their related entities that operate using the“Deloitte”name in the United States and their respective affiliates.Certain services may not be available to attest clients under������ the rules and regulations of public accounting.Please see to
180、 learn more about our global network of member firms.Copyright 20������22 Deloitte Development LLC.All rights reserved.Member of Deloitte Touche Tohmatsu LimitedDeloitte Insights contributorsEditorial:Abrar Khan,Emma Downey,Arpan Kumar Saha,a�������nd Aishwarya IyerCreative:Sofia Sergi,Swagata Samanta,and Molly WoodworthAudience development:Maria Martin Cirujano,Kelly Cherry,and Nikita GariaCover artwork:Sofia SergiSign up for Deloitte Insights updates at DeloitteInsight
sgpjbg002
工作日 8:30 - 17:30
报告分类
