As CISO roles expand, so should cyber budgets, says NASCIO 2024 cybersecurity report

State chief information security officers, who only recently served an average of 30 months in their positions, are now only serving 23 months on average, according to a report published Monday by the National Association of State CIOs.

As government services become increasingly digital, the report suggests the shortened length of state CISOs’ tenures could be in response to their growing list of responsibilities, which now include data privacy in critical infrastructure, stewarding the adoption of generative artificial intelligence and incident response planning for more sophisticated and frequent cyberattacks.

To match their expanding roles and shrinking tenures, the NASCIO report declares that state CISOs need increased cybersecurity funding, greater involvement in policy decisions that dictate data security in their state governments and robust succession plans to prevent important IT security projects from being interrupted.

“I’m not so sure that most Civil Service systems in the various states even make succession planning possible,” New Hampshire CISO Ken Weeks told StateScoop in an email. “Structurally, it is difficult, and with a shrinking length of tenure, [it’s] more like a Hockey game…somebody goes down…next person up.”

The report, which surveyed state CISOs from 50 states and the District of Columbia, focused on five areas: the expanding role of the state CISO, generative AI, inadequate cybersecurity budgets, growing cyber threats and building stronger cybersecurity workforces.

“With everyone looking to the state CISO to lead the effort to protect citizens and systems, the role is rising in prominence; indeed, the survey results suggest that the CISO is now firmly established as a central part of most states’ information technology organizations,” the report reads.

A report published last week by the Washington think tank Institute for Security and Technology noted the rising trend of “big game hunting,” in which cybercriminals target high-value and high-risk organizations, including state and local government agencies, to extract big payments, increasingly with the help of generative AI.

Generative AI offers cybercriminals new mechanisms to exploit system and human vulnerabilities. It can strengthen the success of phishing scams aimed at tricking employees into revealing sensitive information and produce audio and visual deepfakes to deceive marks.

Though generative AI presents immense risks to information security and data privacy in the hands of attackers, and there are many obstacles to widespread adoption inside state government, 21 state CISOs told NASCIO that they are already using the technology to improve their security operations. Another 22 CISOs said they’re planning to begin using generative AI within the next 12 months.

“People fear, a bit, or are foolish if they do not, technologies they don’t understand,” Weeks said. “Once we accept that AI is ubiquitous in almost every technology we use, I think there will be a more wide-scale acceptance and adoption for use in providing Government Services and security applications.”

Dozens of states have established task forces and specialized offices to develop generative AI policies governing state operations and digital services, with CISOs playing an increased role in those discussions, the report notes. However, only 25% of state CISOs said they will spend some of their budgets on generative AI governance and security controls.

About 40% of CISOs surveyed said their cybersecurity measures fail to meet the needs of their states, mainly keeping government and citizen data safe. The report encourages CISOs to seek new avenues for funding, such as Cybersecurity and Infrastructure Security Agency grants. It also encourages the adoption of “whole of state” cybersecurity, in which the state offers services to local governments, especially as ransomware gangs target educational institutions and local agencies with limited resources.

Though state and local governments saw a 51% drop in ransomware attacks in 2024, according to an August report by the cybersecurity firm Sophos, the average cost of recovery from ransomware attacks rose to $2.83 million in 2024, more than double the $1.21 million reported in 2023.

Columbus, Ohio, Mayor Andrew Ginther recently told reporters that the July cyberattack against his city will cost millions of dollars to recover from, as the city has limited cybersecurity support, a growing concern for local governments across the country.

Nearly half of the CISOs who responded to NASCIO’s survey reported cybersecurity staffing as a top issue. Though the public sector is outmatched by the private sector in offering competitive compensation, the report encourages CISOs to offer continuous employee education and training to strengthen existing staff knowledge against cybersecurity threats.

“The attack surface is expanding, with the public sector’s reliance on information becoming increasingly central to the operation of government itself,” the report states. “The ability of government to deliver on its mission rests on data—and on the security of that data.”