The survey, in which 49 of 50 states responded, found that cybersecurity budgets available to state CISOs lag well behind those of private industry.
“Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure, and the report highlights the growing concerns of CISOs in this regard,” said Steve Fletcher, president of NASCIO and Utah's chief information officer.
Other findings of the cybersecuirty survey, titled 'State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust', include:
Strategy: States increasingly are embracing strategic planning as part of their cybersecurity approaches and are adopting the National Institute of Standards and Technology (NIST) risk assessment framework. However, without compliance audit and enforcement mandates, such as the Federal Information Security Management Act at the federal level, state compliance with the NIST framework is not likely to be achieved.
Internal and External Threats: Threats to personal information are growing. In addition to preventing accidental and intentional internal data breaches, states need to prepare to tackle the increasing sophistication of cybersecurity threats from outside.
Security of Third-Party Providers: States use the services of contractors, managed service providers, and other third parties to deliver sensitive constituent services; states must better manage the cybersecurity of third-party providers.
Tom Ridge, former head of the Department of Homeland Security, commented about the study: “The 2010 Deloitte-NASCIO Cybersecurity Study confirms that large amounts of personally identifiable information [PII] that the states maintain may be at risk, but barriers identified in the study make securing PII a daunting task.”