Although nearly one-half (48 percent) of all state CISOs reported incremental increases to cyber security budgets, insufficient funding remains the leading barrier to battling cyber threats, according to the 2014 Deloitte-National Association of State Chief Information Officers (NASCIO) cybersecurity study.
The third biennial Deloitte-NASCIO survey of CISOs and their equivalents also reveals an increasing sophistication of cyber threats and inadequate availability of cyber security resources as other top barriers to achieving adequate cyber security measures within state governments.
Three-quarters (75 percent) of the respondents cited lack of sufficient funding as their top barrier and 46 percent estimated security budget to be only between 1 and 2 percent of the overall technology budget. Approximately 6 in 10 (61 percent) CISOs cited an increase in sophistication of threats, up from roughly half (52 percent) in 2012. The number citing a shortage of qualified cybersecurity professionals jumped from 46 percent in 2012 to 59 percent in 2014.
“State CISOs and CIOs are dealing with a myriad of complex issues related to cybersecurity – budget, increasing threat sophistication, talent and stakeholder communication,” said Srini Subramanian, who leads Deloitte & Touche LLP’s Cyber Risk Services offering to the state government sector. “The role of the CISO itself has matured and expanded – they are charged to do a lot, with inadequate resources.”
Ironically, another challenge cited in the report is a continued discrepancy in the confidence levels of state cyber security among CISOs and state officials. An accompanying survey of state business officials found that 60 percent had high levels of confidence in states’ ability to protect and defend against external cyber threats. Only one-quarter (25 percent) of state CISOs expressed a similar level of confidence.
“State business leaders need to play close attention and have a better understanding about the gravity of the situation. We believe that this gap significantly undermines a CISO’s ability to gain funding and support for cybersecurity programs. Communicating the cybersecurity risks and potential impact to the business and elected state leaders will likely help elevate the issue,” Subramanian noted. “But despite continuing challenges, CISOs are standardizing security practices, launching broad-based awareness campaigns, and looking for ways to attract the right talent to join them in their fight against cyber threats and protecting states’ critical infrastructure.”
Overwhelmingly, 9 in 10 (90 percent) CISOs point to the salary and pay grade structures states offer as one of the most substantial barriers to attracting and retaining skilled cybersecurity professionals. State cybersecurity professionals are also leaving for private sector careers (71 percent), and more than two-thirds (67 percent) cite lack of defined cybersecurity career paths and opportunities at the state-level.
“The survey provides a sobering assessment of continuing challenges of budget, talent and evolving nature of cyber threats,” said Doug Robinson, chair of NASCIO. “A key challenge facing states is how to both focus on the immediate need of securing their ecosystems against imminent threat while maturing their cybersecurity program that covers protection, early detection/containment and ability to bounce back from incidents.”
Key findings include:
Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.
Budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small – in the budgets. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs – it continues to be the top barrier for state CISOs. In addition, survey responses show that there may be additional barriers to implementing successful initiatives: namely the lack of well-thought-out and fully vetted cybersecurity strategy and priorities.
Cyber complexity challenge: State information system house a wide range of sensitive citizen data, making them especially attractive targets for cyber-attacks. CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. They need to stay abreast of existing and developing threats to establish and maintain the security of an information environment that now increasingly extends from internal networks to the cloud and mobile devices. State officials appear more confident than CISOs in the safeguards against external cyber threats, perhaps a result of ineffective communication of risks and impacts.
Talent crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. Private sector opportunities and salaries are traditionally better that those offered by government. Not surprisingly, state CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career paths and find creative ways to build their cybersecurity teams. Furthermore, as states turn to outsourcing and specialist staff augmentation as a means to bridge their cybersecurity talent gap, it’s imperative for CISOs to manage third-party risks effectively.