NASCIO-Deloitte Survey: Only 26% of State CISOs Confident in Ability to Protect Data

Executive Summary

A new biennial survey from the National Association of State CIOs (NASCIO) and Deloitte reveals a stark decline in confidence among U.S. state and territorial chief information security officers (CISOs). The 2026 study found that only 26% of state CISOs are highly confident in their ability to protect state government data, a dramatic drop from 48% in 2022. This erosion of confidence is attributed to a 'perfect storm' of rapidly advancing threats, particularly those powered by Artificial Intelligence (AI), coupled with stagnant or decreasing cybersecurity budgets. As a result, CISOs are pivoting their strategic priorities towards metrics and demonstrating program effectiveness to secure necessary resources.

Regulatory Details

The survey polled top cybersecurity officials from all 50 states, Washington D.C., and two territories, providing a comprehensive view of the challenges facing public sector security leaders. The findings highlight a growing gap between the capabilities of threat actors and the resources available to state defenders.

Key Findings:

• Confidence Collapse: High confidence in protecting state data fell from 48% (2022) to 26% (2026).
• Budgetary Pressure: Only 23% of CISOs reported significant budget increases, down from 40% in 2024. Alarmingly, 16% reported budget cuts, a phenomenon not seen in the 2024 survey.
• Emerging Threats: CISOs identified AI-powered attacks, including sophisticated ransomware-as-a-service and deepfakes, as a top concern, noting the 'blistering pace' of new attack development.
• Shifting Priorities: In response, the top cybersecurity initiative for 2026 is 'implementation of effectiveness metrics' (49% of CISOs), as leaders seek to quantitatively justify their programs and budget needs.

Affected Organizations

The study's findings are relevant to all U.S. state and territorial governments. Furthermore, the lack of confidence extends to the broader public sector ecosystem. 63% of state CISOs reported being 'not very confident' in the security of local government and public higher education data, up from 35% in 2022. This indicates a systemic risk across the public sector, not just at the state agency level.

Compliance Requirements

While the report doesn't detail specific compliance mandates, it underscores the pressure CISOs face to meet various federal and state regulations with limited resources. The shift towards a 'whole-of-state' cybersecurity approach, mentioned by 20% of states, suggests a move towards more centralized compliance and security service delivery to local governments and schools, aiming to raise the baseline security level for all public entities.

Impact Assessment

The declining confidence and budget constraints have significant real-world implications. Underfunded and under-resourced state cybersecurity programs are less able to defend against sophisticated nation-state actors and organized cybercrime groups. This increases the risk of:

• Disruption of Public Services: Successful attacks on state agencies can disrupt essential services for citizens, from DMV operations to unemployment benefits.
• Data Breaches: States hold vast amounts of sensitive citizen data (PII, PHI), making them attractive targets for data theft and fraud.
• Erosion of Public Trust: High-profile security failures can erode citizens' trust in government institutions.

The focus on metrics is a double-edged sword. While it can help secure funding, it also puts immense pressure on CISOs to demonstrate ROI, which can be challenging in cybersecurity where success is often the absence of incidents.

Compliance Guidance

Based on the report's findings, state and local government IT leaders should consider the following actions:

1. Develop a Metrics-Driven Program: Align with the top priority identified by CISOs. Develop a framework of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) that translate technical security data into business risk language that legislators and budget committees can understand.
2. Advocate for 'Whole-of-State' Models: Collaborate with state-level officials to explore shared security services. This can provide smaller, less-resourced local governments and school districts with access to advanced security capabilities they could not afford on their own.
3. Focus on AI in Defense: As adversaries leverage AI for attacks, defense strategies must also incorporate AI and automation for threat detection, response, and security operations efficiency.
4. Prioritize Foundational Hygiene: Despite budget cuts, continue to focus on fundamental security controls: asset management, patch management, access control, and network segmentation. These provide the most significant risk reduction for the cost.