Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Dive Brief

State CISOs losing confidence in ability to manage cyber risks

Deloitte-NASCIO study shows AI, budget pressures are forcing states to make tough decisions.

Published April 29, 2026
David Jones's headshot
Reporter
a digital padlock illustration with the letters AI
BlackJack3D via Getty Images

Dive Brief:

  • Statewide chief information security officers are losing confidence in their ability to manage cyber risk amid a rising threat landscape and declining resources, according to a study released Monday by Deloitte and the National Association of State Chief Information Officers.
  • About one-quarter of statewide CISOs said they were “extremely” or “very” confident that state assets were protected from cyber threats in the current survey. In 2022, nearly half of respondents said so.
  • CISOs also reported rising concerns about the ability of local governments and higher education institutions to secure public data. Almost two-thirds of respondents said they were “not very confident,” compared with 35% in 2022.

Dive Insight:

The growing concerns about cyber risk come at a time of increased threats from state-sponsored hackers, rising use of AI and increased pressure on budgets. 

State and local governments increasingly have become the targets of criminal ransomware groups and state-sponsored hackers. In addition, federal budget cuts under the Trump administration have shifted much of the cyber risk burden to state and local officials, who must increasingly take the lead for securing critical infrastructure. 

“So, one of the big discussions with CISOs is how to articulate the business benefit of investment in cybersecurity,” Michael Wyatt, state, local and higher education cyber risk leader at Deloitte, told Cybersecurity Dive. 

About half of all statewide CISOs said implementing effective metrics was their top priority, compared with only 15% in 2022. State CISOs have also been grappling with adoption of AI and managing those risks.

The report comes about six months after Nevada issued an after-action report on a 28-day ransomware attack it suffered in August 2025. Nevada’s cyberattack was linked to an accidental malware download by an employee. The state refused to pay an extortion demand, but incurred about $1.3 million in recovery expenses.

Meanwhile, the state of Rhode Island was impacted by a December 2024 attack against the RIBridges social services portal, which was managed by Deloitte. The company agreed to pay $5 million to cover those expenses.

Editors' picks

Company Announcements

View all | Post a press release
Protectors Edge: Leadership through Strategy and Action
From 360 Privacy
April 24, 2026
360 Privacy logo
Cobalt Iron Launches Compass Tape Gateway™
From Cobalt Iron
April 15, 2026
Cobalt Iron logo
Oliver Rochford in Collaboration With Daylight Security: The Governance Gap in AI-Driven Secur…
From Jake Smiths
April 15, 2026
Akto Announces Partnerships with LangChain, Portkey, TrueFoundry, Arcade, and LiteLLM to expan…
From Akto Io Inc
April 23, 2026
Akto Io Inc logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell