That was the main takeaway from the biennial cyber report released Monday by the National Association of State CIOs (NASCIO) and Deloitte, which includes survey responses from cyber leaders in all 50 states. The report was released during NASCIO's Midyear Conference in Philadelphia.
The worries were perhaps best summed up in this statistic: The number of CISOs who said they were “very” or “extremely” confident in their ability to protect data dropped from 48 percent in 2022 to 22 percent in 2026.
“The cyber threat landscape is not improving — at all,” said Mike Wyatt, partner and principal at Deloitte, during the conference.
Tied into this were a host of specific concerns. At the top of that list: a “bleak” budget picture in many states. Eight states reported shrinking cyber budgets, a phenomenon that was absent in 2024’s report. While substantial budget increases were common last time, more than half the states in 2026 reported flat cyber budgets or only small increases.
Speaking during a breakout session, Michigan Chief Security Officer Rex Menold said framing cyber funding in terms of business risk helps lawmakers understand its importance.
“Ultimately it comes down to we’re trying to lower risk for you, the people in the state of Michigan, and you represent them,” he said. “So we want you to understand when you’re making decisions — frankly, business decisions — how that impacts our state, how you impact my township.”
Reduced federal support likely played a role here; since Donald Trump’s second inauguration, the government has scaled back state and local governments’ cyber resources. Notably, this included transitioning the Multi-State Information Sharing and Analysis Center (MS-ISAC) to a membership model. Accordingly, fewer CISOs said they were relying on MS-ISAC, the National Guard or the Department of Homeland Security as partners.
More are turning inward, with the “whole-of-state” model continuing to gain traction. This involves states acting as a central agent for security for local governments, and often education institutions and others as well. Enterprise security operations centers (SOCs), now nearly universal at the state level, are one type of support CISOs are offering to those smaller entities.
Indeed, an agreement is emerging among many CISOs that their offices need to expand their presence with local and state agencies to best protect data and systems. Seventy-three percent of respondents said a centralized cybersecurity model was best for their state, and none of them said they were “very confident” in local governments’ cybersecurity practices.
Those worries are especially urgent for critical infrastructure such as health care and power, where a cyber attack might cause unnecessary deaths. John Godfrey, CISO for the state of Kansas, said during the conference that he’s brought together a critical infrastructure cyber group that meets regularly to help them plan for such incidents.
“Even though I don’t directly have authority to tell them exactly what to do, we’re trying to take the other approach here, which is community building, information sharing, building skills and knowledge, bringing people together, having [the ability] to phone a friend if you need it, helping them develop plans and response capabilities under the mandatory statewide reporting that they’re required to follow anyway,” he said.
As funding has slowed, the report found that CISOs are being asked to do more than ever. Aside from handling security for the entire enterprise, and sometimes local governments and education, and sometimes courts and legislatures as well, they are taking on more tasks. Every single respondent said they now offer strategy, governance and risk management as well as security management and operations, both of which were not universal in previous reports. Nearly all said they were handling incident response and networks and infrastructure, both of which have increased too.
Almost all are involved in setting security policies for AI, as well as planning how to use it to bolster their security. With confidence waning and adversaries becoming more sophisticated, one respondent said that automation will become necessary to head off attacks — even before checking in with partners about whether to take action.
“In order for us to keep pace with the attackers, we are going to have to learn to trust automation so that we can automatically take remediation actions first and then involve people to review what actions took place,” said the anonymous respondent. “We can no longer wait for approval from an entity to take action.”
Though the overall picture was troubling, there were silver linings in the report. While CISOs expressed slightly less confidence in protecting against AI threats, the number listing such threats as top concerns fell. And on the workforce front, only 22 percent of respondents listed a lack of cyber talent as a top-five concern, down from 50 percent four years ago.
However, CISOs also stressed that their staff have less of the job’s required competencies than they did two years ago — whether because attacks have changed or for other reasons is unclear.
Among the report’s other findings:
- One-fifth of states are moving forward with a whole-of-state approach.
- The top three barriers to cybersecurity were legacy infrastructure, increasing sophistication of attacks and insufficient funding.
- Concerns of third-party breaches and phishing increased, while concerns of malware, AI-enabled threats and state-sponsored attacks decreased.
- The top initiatives growing among cyber agencies were establishing effectiveness metrics, zero-trust frameworks, SOCs and identity and access management.
- More than two-thirds of CISOs now deal in the adoption of emerging technology, up from 43 percent in 2024.
- More CISOs are outsourcing incident response, continuous monitoring and forensics and legal efforts tied to breaches. Fewer are outsourcing pre-incident services such as SOCs, network security and vulnerability management.
