Budget Cuts, Workforce Woes, and AI: Unmasking the Cybersecurity Threats to State Agencies

A recent Deloitte & Touche survey highlights ongoing challenges faced by Chief Information Security Officers (CISOs) in state governments across the United States. Many officials report insufficient budgets, resources, and staff, leading to a lack of confidence in their ability to protect government networks from cyberattacks.

Srini Subramanian, a principal at Deloitte, emphasized the growing complexity of securing government technology. “The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself,” he stated. The survey, part of a biennial cybersecurity report, details new threats and the vulnerabilities that tech teams encounter.

As governments increasingly depend on digital infrastructure—such as servers and the Internet of Things—more opportunities for cyberattacks arise. Additionally, the rise of artificial intelligence (AI) is enabling criminals to exploit vulnerabilities, streamlining phishing attacks and facilitating deep fake technology.

Despite these threats, there is some optimistic news. CISOs are increasingly recognized in government tech teams, with new laws being introduced in several states to strengthen their authority. However, the survey also indicates that many CISOs lack adequate resources to address both existing and emerging cyber threats effectively.

Nearly 40% of respondents reported insufficient funds for projects that meet regulatory requirements, and less than half are aware of what portion of their state’s IT budget is allocated for cybersecurity initiatives. Staffing shortages have also been noted, with around half of CISOs indicating that they do not have enough personnel to address their cybersecurity needs.

The turnover rate among CISOs has seen a troubling rise, exacerbated by burnout and increased responsibilities. Nearly half of all states have experienced turnover since the last survey, with the median tenure now at just 23 months.

Generative AI is emerging as both a threat and an asset. While 71% of CISOs view it as a significant cybersecurity risk, many are actively exploring its potential to enhance security operations. Currently, 21 states are utilizing some form of AI, and another 22 states anticipate adopting it in the coming year.

In response to these multifaceted challenges, the report suggests that tech departments could collaborate with government partners, creatively work to increase budgets, diversify recruitment efforts, and promote the strategic role of CISOs in modernizing government operations.