Only 22% of state CISOs were "extremely or very confident" that their state data is protected from cyberthreats — a steep decline from 48% in 2022 — according to the 2026 NASCIO‑Deloitte Cybersecurity study.
Falling CISO confidence: the numbers
The 2026 NASCIO‑Deloitte study sketches a rapid slide in institutional confidence. Where nearly half of state CISOs felt highly confident in 2022, barely one in five do today. Confidence is even lower when CISOs consider other public-sector actors: 63% said they are "not very confident" that local government and public higher education can protect public data, nearly double the 35% who felt that way four years ago.
Those figures are not isolated data points but part of a pattern: only 2% of state CISOs are "very confident" they can ward off AI‑enabled attacks, down from 10% in 2024, while 47% are "not very confident" or "not confident at all" — up from 41% in 2024. The study records concrete operational adoption alongside the anxiety: all but one state are using or planning to use generative AI for cyber defense, and 23 states report using GenAI in security operations today.
GenAI: tool for defense and a force multiplier for attackers
"GenAI is accelerating both the sophistication and volume of cyberthreats," a state CISO told NASCIO, describing how adversaries can craft highly targeted phishing, automate exploitation, and rapidly detect and exploit known vulnerabilities. At the same time, the same CISO noted, GenAI offers defenders "powerful capabilities for real‑time threat analysis, automation of routine tasks and faster incident response—provided it's implemented with strong governance and risk controls."
Deloitte cyber principal Michael Wyatt, a co‑author of the study, summarized the dilemma: "If the adversaries have these tools, the defenders need tools as well." States making the most progress are embedding AI into security operations centers for triage, alert summarization and SIEM/SOAR enrichment — but pairing deployments with a "governance‑first philosophy," Wyatt said.
Budget shifts, MS‑ISAC membership, and grant uncertainty
Fiscal pressures compound the technical challenge. Only 22% of states report budgets increasing by 6% or more this year, down from 40% in 2024; meanwhile 16% of CISOs say their budgets have been slashed — a figure that was zero two years ago. Pandemic federal relief has dried up, the Multi‑State Information Sharing and Analysis Center (MS‑ISAC) has shifted to paid membership — a move that Wyatt said has roughly halved state participation — and the future of the State and Local Cybersecurity Grant Program rests with Congress and remains unclear.
Surveyed CISOs judged existing grant funding inadequate: 40% called it "inadequate," and another 37% said increasing the amount available would be beneficial. That budget squeeze helps explain why metrics to measure and report effectiveness are the top cybersecurity initiative in 2026 for 49% of CISOs, up from 15% in 2022. Wyatt described the approach used by states that secure funding: build a multi‑year road map tied to budget, report against it annually, and frame outcomes in mission continuity and dollar‑loss avoidance rather than counting incidents blocked.
Third‑party risk, legacy systems, and the caution against lift‑and‑shift
Third‑party breaches are the top concern for 78% of states, and 65% of CISOs cited legacy infrastructure as a major barrier — tied with the rising sophistication of threats. Wyatt warned that vendors sometimes turn on AI features inside existing software without notifying customers and urged clearer disclosure and the ability for states to opt out: "There needs to be clarity from the vendor community on exactly what AI capabilities are being enabled, and what sort of security and risk reviews have been done on that capability before it just gets turned on."
On migration strategy, the playbook Wyatt described is conservative and pragmatic: inventory legacy systems, rank them by exposure and business criticality, triage the highest‑risk systems, and resist lift‑and‑shift cloud migrations that "may be just moving the vulnerabilities from here to there rather than actually improving the risk posture."
How technologists, policymakers, and public institutions are responding
- Technologists and security teams: Many are embedding GenAI into SOC workflows for triage and enrichment while pairing deployments with governance controls; 23 states report active use of GenAI in operations.
- Policymakers and procurement leaders: With budgets constrained and grants uncertain, leaders are seeking measurable road maps tied to mission continuity and dollar‑loss avoidance to justify multi‑year appropriations.
- Public institutions (counties, municipalities, K‑12, higher education): The perceived risk to these entities is high — 63% of state CISOs express low confidence in their defenses — pushing a shift toward whole‑of‑state cybersecurity models that extend services beyond central agencies.
The study records a CISO role in transition: every state CISO now offers strategy, governance and risk management services to state agencies (up from 81% in 2022); the share overseeing emerging‑technology adoption has risen from 38% to 69%; 76% are responsible for protecting against AI threats and 67% oversee responsible AI use by public employees. Wyatt noted a broader leadership shift: more state CISOs now come from CIO, CTO or other business backgrounds and are expected to bring business acumen and regulatory fluency while relying on teams for technical depth.
State cyber leaders, pressed by faster, AI‑amplified adversaries and by tighter budgets, are responding with governance‑led AI deployments, harder choices about legacy systems, and a new emphasis on measurable outcomes. Whether Congress restores or expands grant funding and whether vendors provide clearer opt‑out and disclosure mechanisms will shape how quickly confidence can be rebuilt.
