Hiring for a CISO-level position can often take six months or more, and given CISOs’ short average tenures, “for a four-year cycle, you are almost saying that for a good portion of the time there may not be a CISO in the state,” Srini Subramanian, Deloitte global consulting services leader for government and public services, said Monday during the 2024 NASCIO Annual Conference.
States are also changing what they expect from their cybersecurity leaders, per the report. Many CISOs now have privacy responsibilities, whether that’s by overseeing chief privacy officers or handling both roles themselves. Eighty-six percent of states have CISOs handling privacy, a significant leap from the 60 percent who did the same in 2022.
As CISOs eye the challenges ahead, many are concerned about hackers using AI-assisted attacks — a threat 71 percent said is “very” or “somewhat” high.
At the same time, CISOs see opportunities to use generative AI to support their own security work, with 41 percent currently using the tech and 43 percent intending to within 12 months. And security can be a natural use case for generative AI, because cyber teams already have lots of data they record, centralize and “groom” to be ready for use, so it’s just one more step to run it through an AI engine to search it for abnormalities, Virginia CISO Mike Watson said during a conference panel.
Promisingly, most CISOs are involved in helping develop their state’s generative AI strategy and policy. But, ideally, more CISOs would be part of the procurement process too, so they can ensure security is accounted for and funded from the get-go, NASCIO Deputy Executive Director Meredith Ward said during the panel.
CISOs are one of the roles that can remain vacant for a half-year or more, and so those holding the title now should turn an eye to succession planning — a difficult task, however. For one, CISOs may come to require a different skill set than that held by the rest of their departments or teams, New Hampshire CISO Ken Weeks said during the panel. And, anyone training up with the CISO job specifically in mind would have no guarantee of a position opening.
“Succession planning is hard because most states’ civil service programs are not conducive to that,” Weeks said. “ … you can’t necessarily replace me until I’m gone.”
Weeks advocated for having “a fungible workforce” that welcomes people moving easily between the public and private sectors and back; and Ward praised Massachusetts’ internship program for new graduates that has seen many interns go on to work for the state.
Training and upskilling existing staff is important, too, with the report finding only 47 percent of CISOs saying their workforce has all the needed competencies.
It’s especially hard for states’ cyber teams to get around-the-clock staffing, which could be why many CISOs supplement with third-party support. That includes the 76 percent of CISOs who use outsourced security operations centers with 24/7 monitoring. Outsourcing may not always be an easy decision, however, with about a quarter of CISOs “not very confident” in their business partners, contractors and service providers’ cybersecurity practices.
And CISOs were wary of how third parties like local government and higher education fared on cybersecurity, too, the report said. In the coming fiscal year, cyber threats involving third parties will increase “somewhat,” according to 39 percent of CISOs, and will be a “very high” threat, according to 33 percent.
To better tackle such concerns, CISOs can seek more information on contractors’ cybersecurity practices, including their training and oversight measures, and can reach out to local governments and public higher education about best practices.
With temporary pandemic relief funds drying up, budgets are again a concern for CISOs. Only 51 percent said they have “adequate” funding needed to meet legal and regulatory requirements, down from 58 percent saying the same two years ago. Nearly 40 percent of states lack a dedicated cybersecurity budget line item, instead funding it from the overall IT budget. Uncertainty over how much money will be available can make planning hard.
While the State and Local Cybersecurity Grant Program was a promising idea, some CISOs said the money simply wasn’t enough to make a difference or to outweigh the administrative burden of handling the grant. Some also said the rules attached limited how useful the funds could be.
And while one-time and limited-time funding infusions can help, above all, CISOs need a reliable stream of recurring funding to tackle the continuous threats they face.
“Grants are a pain in the neck. It’s a lot of admin and overhead,” Weeks said. “The federal government needs to create something similar to highway funds for cyber: it’s just as important to infrastructure, and, until there’s a sustained, systemic way to do this, all of us are going to be winging it year to year based on begging.”