The NASCIO 2025 State CIO Survey is more than just a snapshot of state IT priorities; it's a direct strategic blueprint for every Chief Information Security Officer (CISO) and their team supporting state and local government agencies.
Titled "Leading Change Through Uncertain Times," the 16th annual survey, conducted in the summer of 2025 with responses from 51 state and territory CIOs, underscores that the state government IT landscape is defined by rapid modernization and complex risk management.
For CISOs, the message is clear: the security strategy must not just follow the IT strategy—it must enable it.
Here are the key takeaways from the survey and the critical implications for security teams.
Key takeaway 1: Generative AI is no longer optional
The presence of a dedicated section on generative artificial intelligence (GenAI) in the survey (page 10) signals its swift transition from experimental concept to operational priority for state governments.
GenAI adoption in the public sector creates immediate and intense security requirements that are distinct from standard application security:
-
Data lineage and integrity: State agencies handle vast amounts of sensitive constituent data. CISOs must establish rigorous data governance policies specifically for GenAI to prevent unauthorized data ingress or egress, and to ensure models are not trained on restricted data sets.
-
Hallucination as a risk vector: A GenAI tool giving an incorrect or misleading answer about public policy or constituent services is a reputational and legal risk. Security teams need to enforce controls that validate the accuracy and source of information generated by AI systems used in public-facing or critical internal roles.
-
Shadow AI: The biggest immediate risk is unmanaged GenAI use (shadow AI) by government workers. CISOs must rapidly deploy monitoring tools and Acceptable Use Policies to detect and control employee use of public LLMs.
[RELATED: Shadow AI in Your Systems: How to Detect and Control It]
Key takeaway 2: Cloud maturity demands identity and data governance
The dedicated focus on Cloud (page 15) and Data Governance and Management (page 18) confirms that state governments are now moving past simple cloud migration and dealing with the complex reality of a multi-cloud, multi-jurisdictional environment.
This shift changes the focus from perimeter defense to Identity and Data-Centric Security:
-
Policy orchestration: With services spread across hybrid and multi-cloud environments, CISOs must consolidate security policy and posture management. This requires mastering Cloud Security Posture Management (CSPM) and establishing consistent Identity and Access Management (IAM) across all platforms.
-
Data sovereignty: State data often has legal constraints on where it can reside (e.g., in-state or in-country). Security teams must work hand-in-hand with Data Governance (a key priority for CIOs) to ensure automated controls enforce these geographical and regulatory boundaries within the cloud environment.
-
Modernization funding: Since Modernization/Innovation Funding (page 13) remains a priority, security teams must proactively tie security maturity metrics to modernization requests. Security must be positioned as an accelerator of cloud adoption, not a blocker.
Key takeaway 3: The need for collaborative security
The inclusion of State and Local Collaboration (page 21) as a key survey topic highlights the shared challenge of securing highly decentralized environments. Local government often lacks the resources and technical expertise of state agencies, creating a security disparity.
State CISOs are increasingly responsible for elevating the security posture of their local partners:
-
Shared services: Security teams should champion the creation of shared security services, such as state-run Security Operations Centers (SOCs), threat intelligence feeds, and managed endpoint detection and response (EDR) platforms that local governments can leverage at low or no cost.
-
Consistency in response: The CISO's team should develop standardized incident response playbooks and training that can be rapidly deployed to local entities, ensuring a uniform and effective response to major incidents like ransomware attacks that often target counties and municipalities.
Some key quotes from CIO survey participants:
-
"Get out there and meet people, within the organization, other agencies, other states, municipalities, vendor partners... relationships are the currency of our job."
-
"Become comfortable with being uncomfortable—daily challenges are beyond technology."
-
"I have seen CIOs either ride the wave or get swept away with the riptide. If you don't take the time to appreciate the system that you are working in and aspire to blow it all apart, it will often be the latter."
-
"Technology alone won't drive transformation; it's the trust and alignment you build across the organization that makes lasting change possible."
The 2025 NASCIO survey reaffirms that state CIOs are focused on large, transformative initiatives. For CISOs and their teams, the mandate is to step out of the reactive, auditing role and become strategic partners in these transformation efforts. The success of GenAI, cloud, and data governance in state government hinges directly on the ability of security teams to secure these new frontiers from day one.
Dan Lohrmann, author and cybersecurity leader, wrote a piece regarding the survey, titled "AI Rising, Budgets Falling: The 2025 NASCIO Annual Story" for Government Technology.
The survey results are timely as SecureWorld will be hosting its Government and Education virtual conference on November 13, starting at 10:30 a.m. Eastern Time. Registration is free, and attendees can earn up to 6 CPE credits—handy as the calendar year comes to a close.
