Extreme budget cuts across state governments put vital data and personal
information at risk, which means state chief information security officers
(CISO) must make cyber-security an immediate priority, according to a new study
by Deloitte and the National Association of State Chief Information Officers
The survey, State
Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust,
found that 79 percent of state CISOs report stagnant or slashed budgets, a
serious problem that stifles their ability to adequately handle growing internal
and external threats.
“Unprecedented budgetary cuts across state
governments and growing reliance on contractors and outsourced IT services are
creating an environment that is even harder to secure,” said Utah CIO Steve
Fletcher, the outgoing president of NASCIO, in a release.
continue to utilize technology to store data, manage workflow and improve
efficiency, concerns about protection and privacy remain a challenge for IT
officials, from the federal level on down. Last December, President Barack Obama
appointed the nation’s first cyber-security chief, Howard
Schmidt. And a proposed bill on Capitol Hill would give the president the
power to declare a national cyber-emergency in the case of a huge network
States, of course, have their own cyber-battles to fight, but as
the report highlights, many CISOs need to enhance their strategies and expand
their resources if they want to be successful against threats.
state CISOs lack the visibility and authority to effectively drive security down
to the individual agency level,” said Srini Subramanian, director of Deloitte, a
leader in state government security and privacy services, in a statement. “At
the federal level, the president has recognized the critical nature of the
problem and appointed a cyber-security coordinator to address it; it’s
imperative that governors and state legislative leaders make cyber-security a
Based on responses from 49 states, the Deloitte-NASCIO report
identifies the lack of funds, programs and resources as weak spots in
public-sector cyber-security efforts, especially when compared to private-sector
enterprises. Key findings from the survey include:
- Governance: CISOs must continue to evolve this position to garner enterprise
visibility, authority, executive support and business involvement.
- Strategy: More states are embracing strategic planning as part of their
cyber-security approaches and converging on the National Institute of Standards
and Technology (NIST) risk assessment framework for strategic alignment. But
without compliance audit and enforcement mandate at the federal level,
compliance to the NIST framework is less likely.
- Budget: With the economy impacting state budgets, the gap between public and
private sector continues to expand. As noted, a lack of adequate funding for
governments intensifies cyber-security weaknesses.
- Internal and External Threats: With threats to personally identifiable
information and personal health information on the rise, states must work to
prevent internal breaches while protecting data from outside security
- Security of Third-Party Providers: States must improve security management
when it comes to contractors, managed service providers and other third parties
that deliver sensitive and critical constituent services.
“State CISOs and CIOs recognize the threats and realize all government
leaders need to be better informed on the risks,” said Doug Robinson, executive
director of NASCIO. “It’s clear CISOs have tough jobs without adequate
resources. A staggering 88 percent of respondents mention lack of sufficient
funding as a major barrier to effectively addressing information
Based on the findings, Deloitte and NASCIO offer
recommendations that state CISOs might use to help bridge some of these gaps:
partnerships within state government, executable strategies, ideas for
standardization and tips for better preparing staff, to name a few.