States at Risk: Facing Escalating Threats and Resource Constraints, States Struggle to Make Progress on Cybersecurity: 2012 Deloitte/NASCIO Cybersecurity Study
Security breaches inflict an estimated $1 million to $5 million in damages for some states; signals renewed call for collaboration and compliance on cybersecurity
NEW YORK, Oct. 23, 2012 /PRNewswire/ -- Less than one quarter (24 percent) of chief information security officers (CISOs) are very confident in their states' ability to guard data against external threats, according to the just-released 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study www.deloitte.com/us/nascio
Moreover, while some threats to state information technology (IT) security diminished since 2010, the increasing sophistication of cyber-attacks presented a new set of challenges to state officials tasked with safeguarding citizens' personally identifiable information (PII). The second biennial Deloitte-NASCIO Cybersecurity survey assessed the security of all state digital data and cyber assets administered by CISOs.
"Through the programs and services they deliver states have become enormous repositories of citizen data. As such, the privacy of individual citizens is contingent on adequate IT safeguards," said Srini Subramanian, principal, Deloitte & Touche LLP and leader of its security and privacy practice to state governments. "Citizen trust in government is severely impacted when the data is compromised and hence it is not just an information technology issue, but an issue that could adversely impact elected officials and the credibility of governments."
The survey results call for a greater collaboration among state CIOs/CISOs and business/program leadership of the executive branch agencies and elected officials.
"The biennial Deloitte-NASCIO CISO Cybersecurity survey has become a key element in NASCIO's advocacy focused on improving states IT security programs," said Doug Robinson, NASCIO Executive Director. "Particularly in a time of aggressive threats, tight budgets and gaps in compliance, it's critical that CIOs and CISOs work collaboratively with state policy-makers and agency leadership in an effort to reduce risks and better protect citizen data."
Key findings of the 2012 Deloitte-NASCIO Cybersecurity Study included:
- Budget a continued problem: More than four out of five (86 percent) CISOs reported that insufficient funding posed the most significant barrier to addressing cyber security issues at the state level.
- Shortage of IT talent: The inadequate availability of cyber security professionals ranked among the top five barriers to addressing cyber security.
- New officials, same challenges: Despite the significant rate of turnover since the initial survey (31 new state CIOs and 22 new state CISOs since 2010), the challenges reported in the survey are remarkably similar, highlighting ongoing issues within state offices of information technology.
- State officials value a security agenda: A parallel survey targeting a limited cross-section of state business and elected officials shows that cyber security is indeed on their radar – 92 percent of respondents ranked cyber security as "most important" or "very important."
Budget Hurdles Demand Business Partnerships
Elaborate and sophisticated threats receive the headlines and keep CISOs up at night – more than half (52 percent) listed increasingly sophisticated threats as a barrier to addressing cybersecurity – but a lack of resources remains the primary concern cited by respondents.
Based on the findings, one of the recommendations provided by Deloitte and NASCIO is for CISOs to develop a network of business stakeholder advocates across state government offices and agencies. When CISOs communicate strategies and report on risks, progress and results to business stakeholders within government, there is a potential for an increased rate of budget support for cyber security initiatives.
"There's never been a better opportunity for CISOs to partner with business stakeholders—and advocate jointly for increases in cybersecurity budgets through well-articulated strategies, measures, and outcomes," Subramanian added.
Mobile Devices Rank Among Top Threats