State CIOs, CISOs Issue Distress Signal on AI, Limited Resources
6:56
author photo
By Cam Sivesind
Read more about the author
Tue | Apr 28, 2026 | 9:14 AM PDT

 

For more than a decade, the biennial NASCIO-Deloitte Cybersecurity Study has served as the definitive pulse check for state-level security. But the ninth edition, released in 2026, reads less like a progress report and more like a distress signal.

The message from state Chief Information Security Officers (CISOs) is clear: the post-pandemic era of relative stability has been replaced by a "blistering pace" of AI-accelerated threats and a "dire" resource crunch. For cybersecurity professionals, this report is about more than just government tech; it's a warning about the fragility of the public-sector foundation we all rely on.

The most jarring data point in the 2026 study is the collapse of executive confidence. In 2022, nearly half (48%) of state CISOs felt "extremely" or "very confident" in their ability to secure public data. By 2026, that number has plummeted to just 22%.

This isn't just self-doubt; it is a rational response to an evolving battlefield. CISOs cite three primary barriers to success:

  1. Legacy infrastructure: The "technical debt" of aging systems that cannot be easily patched or modernized.

  2. Increased sophistication of threats: Specifically, the weaponization of Agentic AI by foreign adversaries to probe for weaknesses at machine speed.

  3. Insufficient funding: For the first time since 2024, CISOs are reporting budget reductions, with only 22% seeing any meaningful increase.

For CISOs and security teams: the 'whole-of-state' pivot

State CISOs are no longer just protecting the state capitol; they are being forced into a "whole-of-state" approach. Because confidence in local governments and higher education has hit an all-time low—with 63% of state CISOs expressing a lack of confidence in these entities—the state is becoming the "provider of last resort" for cybersecurity services.

  • The Action: State teams must now architect for multi-tenancy, providing centralized security operations (SOC) and threat intelligence to resource-strapped municipalities and school districts.

If you are a vendor or a business that interfaces with state government, the "maturity mirage" is over. As states adopt new AI guidelines (94% of CISOs are now actively involved in GenAI security policy), expect:

  • Stricter procurement: States will likely mandate higher security standards for any software or service that touches public data, particularly around AI transparency.

  • Shared liability: With budgets tightening, states will be less willing to absorb the risk of a third-party breach.

The study reminds us that cybersecurity is a pillar of public safety. When state CISOs lose confidence, it impacts the reliability of everything from unemployment benefits to DMV services and water infrastructure.

  • The takeaway: The public must move from being "users" to "aware stakeholders." Just as we demand road safety, we must support policies that prioritize the modernization of the digital infrastructure that holds our most sensitive personal information.

The AI paradox: defense vs. velocity

While AI is the primary driver of the "blistering pace" of attacks, it is also the only tool that can keep up. State CISOs are in a race to adopt AI-driven defenses even as they struggle to maintain legacy systems. This creates a resource gap where teams are forced to choose between keeping the lights on for 20-year-old servers and investing in the AI tools needed to stop 2026-level threats.

This year's study includes insights from the CISOs of all 50 states, the District of Columbia, and the U.S. Virgin Islands.

Responses from the survey uncovered five themes:

  • Facing an evolving threat landscape: Rapid advances in attack sophistication are challenging state CISOs, with AI viewed as both an emerging threat vector and a powerful tool for cyber defense.

  • Getting future-ready: CISOs are adopting new tools and regulatory frameworks to meet the evolving technology landscape.

  • Looking at whole-of-state cybersecurity: The survey points to a growing interest in centralized state support for the cybersecurity efforts of local governments, public education, and critical infrastructure.

  • The expanding CISO role: The proliferation of AI and generative AI (GenAI), as well as a growing appreciation of the need to safeguard public data, is bringing new responsibilities to the CISO role.

  • Dealing with a resource crunch: Compared with recent survey cycles, CISOs tell us that their funding shortfalls are growing more dire, while continuing to face challenges around maintaining a cyber workforce with the needed skills.

Some other key points within the report:

  • CISOs expressed growing concerns regarding other parties that interact with their data, possibly based on the growing complexity of information networks, as third-party interactions may introduce risks to transparency, access and credentials, and other vulnerabilities.

  • "The state has published a statewide acceptable use policy to help steer our customer agencies in AI usage," one CISO remarked, "but vendors auto-enabling AI features in products already leveraged by our customers causes major concern for data protection, privacy and risk."

  • Another CISO said: "GenAI is advancing faster than existing governance structures can adapt, creating growing uncertainty around security, privacy and ethical use. Vendors are increasingly embedding AI capabilities into products and services without sufficient transparency or state-level control, effectively inflicting AI on operational environments before comprehensive risk assessments or policy frameworks can be applied. This uncoordinated adoption has outpaced the development of formal security guidelines, governance models and ethical standards, leaving the state in a reactive position."

  •  One major question is how CISOs expect their SOCs to evolve over the next two to four years to better support local government entities and public higher education. Survey respondents offered a range of answers, from "We expect to offer county, municipal, and K-12 SOC services within the next four years" to "Growing to provide fusion center-type intelligence sharing with municipalities, with a potential to offer SOC services in the future" to "We don't even have a SOC at the state level. We pay [vendors] to do that kind of work."

The 2026 NASCIO-Deloitte study is a wake-up call for cyber resilience in the public sector. It confirms that the era of treating cybersecurity as merely an IT problem is officially over. In a landscape where the "human-in-the-loop" is being outpaced by autonomous agents, the only path forward is a unified, whole-of-government approach backed by sustainable, long-term investment.
Tags: Government, CISO / CSO, CIO, Whole-of-State,
Most Recent
Government

State CIOs, CISOs Issue Distress Signal on AI, Limited Resources

Most Popular
Cybersecurity

Top Countries in Cybersecurity: The Global Leaders Setting the Standard

More Like This
Supply Chains

U.S. FCC Adds All Foreign-Made Consumer Routers to Covered List

Comments