A Tale of Two States: The 2026 Cybersecurity Paradox

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness.”

This famous quote, from the opening of A Tale of Two Cities by Charles Dickens and written in 1859, could well describe the state of government technology and cybersecurity in mid-2026. As I attended sessions and networked with state CIOs and CISOs over the past week, I saw that there is a wide gap in the level of hope between different state leaders.

From the opening Corporate Member Exchange Meeting to the State Meet and Greets session to coverage of the NASCIO-Deloitte Cybersecurity Study, everyone was talking about how state CISOs (and CIOs) are losing confidence in their ability to stop and recover from cyber attacks against their governments.

Here are some of my notes from meetings and conversations with CIOs and CISOs:

• Their governor’s support is high. But how do we measure cyber success? Lowered incident response from six days to 10 minutes. Fear of “double-bubble” — how can we eliminate the old tools? We don’t want to pay for tools twice.
• Some states, like Texas, have a well-funded new Cyber Command organization.
• Other states are seeing major budget cuts across the board. Not backfilling when people leave. Tightening belts. Must show cost savings. Hard savings needed.
• Leaders are hoping SLCGP Cyber Grants are renewed. Also discussions on next steps for the MS-ISAC, which I will cover in a late June blog.
• One state dealt with three ransomware attacks with locals in the past few months.
• All states are working on AI projects. Most are using an outcome-focused approach, looking for real downstream impact and asking how their AI projects work with improving or replacing existing systems. AI governance is top of mind for CIOs and CISOs.
• A lot of discussions about the recent developments with Anthropic’s Project Glasswing and Claude Mythos, along with other new AI developments and the impact on government cybersecurity.
  

NASCIO-DELOITTE CYBERSECURITY STUDY

The full 2026 NASCIO-Deloitte Cybersecurity Study can be downloaded here for free, and this year’s study includes insights from the CISOs of all 50 states, the District of Columbia and the U.S. Virgin Islands.

Here are the five major themes outlined by Meredith Ward of NASCIO and Mike Wyatt from Deloitte:

• “Facing an evolving threat landscape: Rapid advances in attack sophistication are challenging state CISOs, with AI viewed as both an emerging threat vector and a powerful tool for cyber defense.
• Getting future-ready: CISOs are adopting new tools and regulatory frameworks to meet the evolving technology landscape.
• Looking at whole-of-state cybersecurity: The survey points to a growing interest in centralized state support for the cybersecurity efforts of local governments, public education and critical infrastructure.
• The expanding CISO role: The proliferation of AI and generative AI (GenAI), as well as a growing appreciation of the need to safeguard public data, is bringing new responsibilities to the CISO role.
• Dealing with a resource crunch: Compared with recent survey cycles, CISOs tell us that their funding shortfalls are growing more dire, while continuing to face challenges around maintaining a cyber workforce with the needed skills.”

In my view, this is another great report that is a must-read for anyone who is serious about improving cyber defenses in state and local governments nationwide.

The “bad and ugly” parts, unfortunately, come in the next section of the joint biennial report, highlighting the “key takeaways”:

• “As threats become more sophisticated, far fewer CISOs expressed confidence in their ability to secure public data. The percentage of CISOs who characterized themselves as ‘extremely’ or ‘very confident’ has dropped dramatically, from 48 percent in 2022 to 22 percent in 2026 (figure 1).
  
• CISOs are significantly less confident in the ability of local government and public higher education to secure public data. The percentage of CISOs who described themselves as ‘not very confident’ in these entities rose significantly, from 35 percent in 2022 to 63 percent in 2026 (figure 2). This lack of confidence may explain why roughly one-fifth of CISOs indicated that their states were moving forward with a whole-of-state approach to cybersecurity.
  
• Generative AI also represents an area of increased responsibility, with 94 percent of CISOs indicating that they are actively involved with the development of GenAI security policies (figure 8).
  
• CISOs overall reported a rapidly deteriorating budget picture. In the 2026 survey, only 22 percent of CISOs reported a budget increase of 6 percent or more, down from 40 percent in 2024. Perhaps more concerning, 16 percent of CISOs reported reductions to their budgets in this survey, compared with none in 2024 (figure 21).
  
• Looking into the future, CISOs indicated their top three barriers to meeting cybersecurity challenges were: legacy infrastructure, increasing sophistication of threats and insufficient funding for cybersecurity (figure 7).”

OTHER HOT NASCIO MIDYEAR TOPICS

There were many other topics of discussion (cyber and otherwise) at the NASCIO Midyear Conference, and here are some of the GovTech articles that flowed from the event:

• How Trust Guided Nevada Through Its Cyber Incident: At the 2026 Midyear Conference of the National Association of State CIOs, Nevada CIO Tim Galluzi looked back on last year’s breach and how the relationships he built before the incident played a part.
• Pennsylvania CISO Prioritizes Proactive Risk Management: Andy Ritter took the reins as Pennsylvania’s new CISO earlier this year after nearly a decade supporting cybersecurity and risk management. As CISO, he is focused on constituent outcomes.
• Indiana Rolls Out GenAI for All State Staff — and Leadership: CIO Warren Lenard describes how Indiana has made Microsoft Copilot available for any state employee who wants it, and a key part of the program is training. That training also extends to cabinet-level secretaries.
• An AI ‘Magic Moment’ Accelerates IT Development in Utah: Utah’s Director of AI Christian Napier on how piloting Claude Code at state agencies boosted developer productivity, saving 40 hours of work over a four-week period.
• ‘Tremendous Change’ for Colorado’s IT Department: CIO David Edinger describes a major restructuring of IT in Colorado aimed at flattening the organization and getting closer to the agencies it serves.

FINAL THOUGHTS

I realize that this piece is pretty depressing to read and comes across as a negative outlook for Government Technology readers and wider cyber initiatives in states.

Nevertheless, the networking camaraderie, relationships and coming together for a common set of government causes was also very evident throughout the conference.

There are now a record number of corporate members within NASCIO at over 280 companies (and some say too many members, which is a problem to be considered). But these numbers also show the interest and focus on governments solutions and reshaping the people, processes and technology for the public sector — again.

I’ll end this blog with a more optimistic quote commonly attributed to C.S. Lewis: “You can’t go back and change the beginning, but you can start where you are and change the ending.”