States must focus more on digital modernization and improve the role of CISOs, and the cyber issues they face mirror those of broad array of industries.
The top barriers state CIOs face sound eerily familiar: lack of sufficient or dedicated cybersecurity budget, inadequate cybersecurity staffing and availability of cybersecurity professionals, and legacy infrastructure and solutions to defend against emerging threats, according to a joint biennial report from Deloitte and the National Association of State Chief Information Officers (NASCIO).
While CIOs at top corporations must tackle many of those same issues, they typically have budget advantages and can pay above-market salaries for top cyber talent. Rarely do rank-and-file state security or IT people earn well into six figures.
Much like their corporate counterparts, the study found that state CIOs had to adjust to the work-from-home (WFH) trend caused by the pandemic. The study found in 35 states more than half of employees work remotely, and in nine states more than 90 percent are remote workers. Before the pandemic struck, fewer than five percent of staff worked remotely, according to 52 percent of the respondents.
In response, state CIOs established safeguards for teleconferencing and collaboration solutions and created secure system access with multifactor authentication. Most states also have offered guidance on new phishing attacks, as well as video/teleconferencing policy education to end users.
Chloé Messdaghi, vice president of strategy at Point3 Security, says legacy equipment, inadequate or even undesignated cybersecurity budgets, and challenges finding and up-skilling cyber talent are all substantial problems across the commercial and industrial sectors, as well as the public sector.
“Whether public or private sector, the thing to remember is that everyone is a target,” Messdaghi says.
“Outdated equipment is also a huge problem across the private sector,” she says. “Getting employees to update their systems in time is such a challenge, and the slower that companies are to patch and update their systems, the more at risk they put the company, its customers and its employees.”
Gurucul CEO Saryu Nayyar said the public and private sectors have different operating priorities, but cybersecurity requires an adequate investment regardless of whether it’s a commercial, industrial, or government organization. She said both public and private sector organizations also struggle to find and keep cyber talent.
“More and more people are entering the information security field every year, but the demand continues to grow faster than people are joining the profession,” Nayyar said.
“The challenge is perhaps greater in the public sector where it's more difficult to offer the salary and benefits security professionals can expect," she said. "But attracting talent is always a question of providing the right combination of salary, benefits, and working environment to keep employees happy and healthy.”